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PREFACE 

This  handbook,  Reliability  Prediction  is  the  second  in  a series  of  five  on 
reliability.  The  series  is  directed  largely  toward  the  working  engineers  who 
have  the  responsibility  for  creating  and  producing  equipment  and  systems 
which  can  be  relied  upon  by  the  users  in  the  field. 

The  five  handbooks  are: 

1.  Design  for  Reliability,  AMCP  706-196 

2.  Reliability  Prediction,  AMCP  706-197 

3.  Reliability  Measurement,  AMCP  706-198 

4.  Contracting  for  Reliability?  AMCP  706-199 

5.  Mathematical  Appendix  and  Glossary,  AMCP  706-200. 

This  handbook  is  directed  toward  reliability  engineers  who  need  to  be 
familiar  with  the  mathematical-probabilistic-statistical  techniques  for  pre- 
dicting the  reliability  of  various  configurations  of  hardware.  The  material  in 
standard  textbooks  is  not  repeated  here;  the  important  points  are  summa- 
rized, and  references  are  given  to  the  standard  works. 

The  majority  of  the  handbook  content  was  obtained  from  many  indi- 
viduals, reports,  journals,  books,  and  other  literature.  It  is  impractical  here  to 
acknowledge  the  assistance  of  everyone  who  made  a contribution. 

The  original  volume  was  prepared  by  Tracor  Jitco,  Inc.  The  revision  was 
prepared  by  Dr.  Ralph  A.  Evans  of  Evans  Associates,  Durham,  N.C.,  for  the 
Engineering  Handbook  Office  of  the  Research  Triangle  Institute,  prime  con- 
tractor to  the  US  Army  Materiel  Command.  Technical  guidance  and  coordi- 
nation on  the  original  draft  were  provided  by  a committee  under  the  direc- 
tion of  Mr.  O.  P.  Bruno,  US  Army  Materiel  Systems  Analysis  Agency,  US 
Army  Materiel  Command. 

The  Engineering  Design  Handbooks  fall  into  two  basic  categories,  those 
approved  for  release  and  sale,  and  those  classified  for  security  reasons.  The 
US  Army  Materiel  Command  policy  is  to  release  these  Engineering  Design 
Handbooks  in  accordance  with  current  DOD  Directive  7230.7,  dated  18 
September  1973.  All  unclassified  handbooks  can  be  obtained  from  the 
National  Technical  Infomation  Service  (NTIS).  Procedures  for  acquiring 
these  handbooks  follow: 

a All  Department  of  Army  activities  having  need  for  the  handbooks 
must  submit  their  request  on  an  official  requisition  form  (DA  Form  17, 
dated  Jan  70)  directly  to: 

Commander 

Letterkenny  Army  Depot 
ATTN:  AMXLE-ATD 
Chambersburg,  PA  17201 

(Requests  for  classified  documents  must  be  submitted,  with  appropriate 
“Need  to  Know"  justification,  to  Letterkenny  Army  Depot.)  DA  activities 
wall  not  requisition  handbooks  for  further  free  distribution. 

b.  ,411  other  requestors,  DOD,  Navy,  Air  Force,  Marine  Corps,  non- 
military Government  agencies,  contractors,  private  industry,  individuals,  uni- 
versities, and  others  must  purchase  these  handbooks  from: 

National  Technical  Information  Service 
Department  of  Commerce 
Springfield,  VA  22151 
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Classified  documents  may  be  released  on  a “Need  to  Know”  basis  verified  by 
an  official  Department  of  Army  representative  and  processed  fran  Defense 
Documentation  Center  (DDC)  , ATTN : DDC-TSR , Cameron  Station,. 
Alexandria,  VA  22314. 

Comments  and  suggestions  on  this  handbook  are  welcome  and  should  be 
addressed  to : 

Commander 

US  Army  Materiel  Development  and  Readiness  Command 
Alexandria,  VA  22333 

(DA  Forms  2028,  Recommended  Changes  to  Publications,  which  are  avail- 
able through  normal  publications  supply  channels,  may  be  used  for  com- 
ments/suggestions.) 
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CHAPTER  1 INTRODUCTION 


This  handbook  reviews  the  basic  ideas  and 
formulas  in  probability  and  statistics  and 
shows  the  kinds  of  models  that  might  be  use- 
ful for  the  reliability  of  systems.  The  concept 
of  s-independence  is  discussed  very  thorough- 
ly since  it  is  so  important  in  reliability  im- 
provements wrought  by  redundancy. 

A large  portion  of  the  handbook  deals 
with  the  effects  of  redundancy,  simply  be- 
cause the  calculation  of  reliability  for  non- 
redundant  systems  is  so  straightforward  (al- 
though often  tedious).  The  distinction  be- 
tween redundancy  and  repair  is  blurred  in 
practice,  especially  when  a failed  unit  is  re- 
placed by  a good  inactive  unit. 

Some  of  the  techniques  are  presented 
only  in  their  basic  form.  References  are  given 
for  further  study.  Often  the  designer  and  reli- 
ability engineer  wH  have  better  things  to  do 
than  study  sophisticated  mathematics.  It  is 
usually  better  to  find  a person  already  trained 
in  the  subject  who  can  then  solve  the  special- 
ized problems.  In  those  cases  the  function  of 
this  handbook  is  to  provide  the  designer  and 
reliability  engineer  with 

(ljjbasic  knowledge;  so  they  can  converse 
intelligently  with  the  experts,  and 

(2)  perspective;  so  they  know  when  to 
call  an  expert. 

In  dealing  with  mathematics  it  is  impor- 
tant always  to  remember  what  mathematics 
is,  and  what  it  isn’t.  Mathematics  per  se  is 
rules  and  relationships  between  abstract  con- 
cepts. It  is  always  “true”  in  the  sense  that  it  is 
correct  (assuming  no  rules  were  violated),  but 
all  mathematics  is  not  applicable  to  every- 
thing. It  is  in  applying  mathematics  to  a prob- 
lem that  we  get  in  trouble.  We  have  to  choose 
what  kind  of  mathematics  to  use,  and  then  to 
choose  what  real-world  things  vail  be  repre- 
sented by  what  mathematical  concepts.  For 
example,  is  a particular  material  adequately 
representable  by  elastic,  viscoelastic,  or  vis- 
cous equations?  Or,  is  a physical  coil  of  wire 
representable  by  a lumped  inductance  in  se- 
ries with  a resistance? 

Probability  theory  is  abstract  mathematics 
that  can  usefully  represent  many  situations. 
-Much  of  this  handbook  shows  how  to  repre- 
sent things  by  probabilities  and  how  to  ma- 


nipulate those  probabilities. 

There  is  little  that  is  new  in  probability/ 
statistics  for  reliability.  The  Bibliography  at 
the  end  of  this  chapter  gives  many  references 
for  those  who  need  instruction  in  those  top- 
ics. The  books  are  labeled  as  Elementary,  In- 
termediate, or  Advanced.  This  handbook 
makes  no  attempt  to  rewrite  all  those  books. 

BIBLIOGRAPHY 

Probability  and  Statistics  Books 

AMCP  706-110  through  -114,  Experimental 
Statistics,  Sections  1-5,  USGPO  (Inter- 
mediate). 

R.  E.  Barlow  and  F.  Proschan,  Mathematical 
Theory  of  Reliability,  John  Wiley  & Sons, 
Inc.,  N.Y  .,  1 965  (Advanced). 

Vic  Barnett,  Comparative  Statistical  Infer- 
ence, John  Wiley  & Sons,  Inc.,  N.Y.,  1973 
(1975  corrected  reprint),  (Intermediate, 
Advanced). 

A.  M.  Breipohl,  Probabilistic  Systems  Analy- 
se, John  Wiley  & Sons,  Inc.,  N.Y.,  1970 
(Elementary,  Intermediate). 

DA  Pam  70-5,  Mathematics  of  Military 
Action,  Operations  and  Systems  (Elemen- 
tary, Intermediate). 

A.  J.  Duncan,  Quality  Control  and  Industrial 
Statistics,  Richard  D.  Irwin,  Inc.,  Home- 
wood,  111.,  1965  (Elementary,  Intermedi- 
ate). 

W.  Feller,  An  Introduction  to  Probability 
Theory  and  Its  Applications,  Vols.  I,  II, 
John  Wiley  & Sons,  Inc.,  N.Y.,  Vol.  I, 
1957,  Vol.  11,1966  (Advanced). 

J.  E.  Freund,  Modem  Elementary  Statistics, 
Prentice-Hall,  Englewood  Cliffs,  N.J., 
1967  (Elementary). 

Gnedenko,  Belyayev,  and  Solovyev,  Mathe- 
matical Methods  of  Reliability  Theory, 
Academic  Press,  N.Y.,  1969  (Advanced). 
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P.  Hoel,  Introduction  to  Mathematical  Statis- 
tics, John  Wiley  & Sons,  Inc.,  N.Y.,  1962 
(Elementary,  Intermediate). 

Mann,  Schafer,  and  Singpurwaila,  Methods  for 
Statistical  Analysis  of  Reliability  and  Life 
Data,  John  Wiley  & Sons,  Inc.,  N.Y.,  1974 
(Intermediate,  Advanced). 

I.  Miller  and  J.  E.  Freund,  Probability  and 
Statistics  for  Engineers,  Prentice-Hall, 
Englewood  Cliffs,  N.J.,  1965  (Elemen- 

tary). 


NBS  Handbook  91,  Experimental  Statistics, 
USGPO  1966  (Intermediate). 


E.  Parzen,  Modern  Probability  Theory  and  Its 
Applications,  John  Wiley  & Sons,  Inc  , 
N.Y.,  1 960  (Intermediate,  Advanced). 

E.  Parzen,  Stochastic  Processes,  Holden-Day, 
Inc.,  San  Francisco,  1962  (Advanced). 

M . L.  Shooman,  Probabilistic  Reliability , 
McGraw-Hill,  N.Y.,  1 968  (Elementary,  In- 
termediate). 


Many  of  the  early  reliability  texts,  and 
some  of  the  more  recent  ones  which  are  not 
mentioned  here,  have  an  inadequate  or  poor 
introduction  to  probability  and  statistics. 
Most  probability /statistics  texts  are  quite  ade- 
quate. 
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CHAPTER  2-  REVIEW  OF  ELEMENTARY  PROBABILITY  THEORY  (DISCRETE) 


2-0  LIST  OF  SYMBOLS 

AyBiCJZ  = sets 

AFTAGvBFrBG  = events  that  units  UA  and 
UB  are  Failed  orGood 
Ai,Bi,Ci,Ei  = subsets  of  AJ3,CJD,E 
E { } = s-expected  value  of 
Eb  JEHTrE£T  Z events  of  Benign,  .High  Tem- 
perature, Electrical  Tran- 
sient  environments 

EL,ES  = events  of  Light  and  Severe 
environments 
M,  = ith  central  moment 
N,  - number  of  subsets  in  AyByE 

pmf  = probability  mass  function 
Pr{}=  probability  of 

s-  = denotes  statistical  definition 
ju  = mean 

a - standard  deviation 
a2  = variance 

12  = complete  sample  space 
$ = null  event 
U = union 
n = intersection 

2-1  INTRODUCTION 

The  question  always  arises  “What  is  prob- 
ability?” Some  say  it  is  relative  frequency; 
others  say  it  is  degree-of-belief;  and  still 
others  have  different  concepts.  In  many  good 
reliability  and  engineering  textbooks  (and 
virtually  all  mathematical  books)  probabilities 
are  mathematical  concepts  which  can  then  be 
applied  to  such  things  as  relative  frequency 
and  degree-of-belief.  The  situation  is  analo- 
gous to  plane  geometry.  Plane  geometry  is  a 
mathematical  theory  that  uses  concepts  such 
as  point  and  line.  The  theory  is  true  (consist- 
ent) regardless  of  what  a point  or  line  is  taken 
to  be.  Plane  geometry  often  is  applied  success- 
fully to  many  reasonably  flat  things  in  every- 
day life,  and  we  associate  point  and  line  with 
the  everyday  concepts. 

Probability  and  statistics  are  related  very 
closely  to  each  other.  The  difference  between 
them  is  not  clear  to  many  engineers.  Proba- 
bility theory  usually  considers  the  parameters 
of  a general  problem  as  known,  then  com- 
putes numbers  (probabilities)  about  particular 
sets  of  events.  It  goes  from  the  general  to  the 


particular.  Statistics  on  the  other  hand  treats 
actual  data  and  tries  to  decide  what  useful 
things  can  be  done  with  them  and  how  to  get 
them.  It  goes  from  the  particular  to  the  gener- 
al. A statistic  is  a number  obtained  from  a 
sample  or  obtained  from  manipulating  other 
statistics.  In  engineering  problems  one  usually 
uses  a mixture  of  probability  and  statistics; 
there  is  little  to  be  gained  in  debating  which 
calculations  are  probabilistic  and  which  are 
statistical. 

2-2  BASIC  PROBABILITY  RULES 

2-2.1  SAMPLE  SPACE,  SAMPLE  POINT, 
EVENT 

These  are  basic  concepts  for  any  proba: 
bility  problem.  The  sample  space  is  made  up 
of  all  the  sample  points.  An  event  is  a collec- 
tion of  sample  points;  it  can  contain  as  few 
sample  points  as  none,  or  as  many  as  all.  The 
concepts  are  best  illustrated  by  examples.  See 
the  Bibliography  in  Chapter  1 for  books 
which  can  explain  the  concepts. 

Example  1.  For  one  throw  of  a single  die, 
the  sample  space  is  the  set  of  numbers  1,2,  3, 
4,  5,  6;  i.e.,  the  sample  space  is  all  possible 
values  that  can  arise.  Each  value  is  called  a 
sample  point.  There  are  six  sample  points  in 
the  sample  space  for  this  example. 

Every  possible  single  outcome  of  an  ex- 
periment is  a sample  point.  The  naming  of 
every  sample  point  is  a first  step  in  making  a 
probabilistic  model  of  any  problem,  although 
it  often  is  done  implicitly.  Each  sample  point 
also  has  a probability  associated  with  it.  The 
probability  usually  is  assigned  or  calculated 
from  known  event-probabilities. 

In  the  example  of  one  throw  of  a single 
die,  the  probabilities  usually  are  assigned  by 
defining  the  die  to  be  “fair”;  i.e.,  each  face 
has  an  equal  probability  of  appearing.  Then 
the  probability  assigned  to  each  sample  point 
is  1/6.  By  definition,  the  sum  of  the  proba- 
bilities for  all  sample  points  must  be  one. 

Engineers  who  use  probability  often  go 
astray  because  they  do  not  understand  sam- 
ple-space and  assignment  of  probabilities  to 
each  sample  point. 
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Example  2.  A com  is  tossed  three  times. 
What  is  the  sample-space?  Let  t denote  a tail 

and  h a head.  Then  there  are  eight  sample 
points  in  the  sample  space: 

ttt  htt 

tth  hth 

tht  hht 

thh  hhh 

The  event  ‘First  toss  is  a head’  has  four  sam- 
ple points:  htt,  hth,  hht,  hhh.  The  event 
“‘First  toss  is  a head’  n ‘Last  toss  is  a tail’” 
has  two  sample  points:  htt.  hht.  The  event 
‘First  toss  is  neither  a head  nor  a tail’  has  no 
sample  points. 

2-2.2  NOTATION  AND  DEFINITIONS 

There  is  no  universally  accepted  and  used 
set  of  notation.  Because  the  difficulties  engi- 
neers have  with  probability  are  often  basic  in 
nature,  a notation  is  selected  which  is  not 
easily  confused  with  something  else,  even 
though  it  is  sometimes  cumbersome.  The  no- 
tation and  defiiitions  are  illustrated  in  Figs. 
2-1  and  2-2. 

$ The  null  event;  viz.,  the  event 

contains  no  sample  points. 

Q,  The  complete  sample  space; 

viz.,  the  event  contains  all  the 
sample  points. 

U Union,  and/or;  e.g.,  AUB  con- 

tains all  sample  points  which 
are  in  A and/or  in  B.  (Some- 
times + is  used.) 

n Intersection,  both/and;  e.g., 


AHB  contains  only  those  sam- 
ple points  which  are  in  both  A 
and  B.  (Sometimes  X is  used.) 

Pr{*}  Probability  of  the  event  (or 

sample  point)  contained  in  the 
{ };e.g., 

fV{a)  = probability  cf  the 
sample  point  a 

Pr{A}  = probability  cf  the 
events 

Conditional  probability;  prob- 
ability of  the  event  to  the  left 
of  the  I , given  that  the  event 
(condition)  to  the  right  of  the 
I has  occurred;  e.g.,  Pr  {A I B } 
is  the  conditional  probability 
of  event  A,  given  that  the 
event  B has  occurred. 

Pr'{A  \B}=  Pr{Ar\B}/Pr{B}\ 
PrfB}¥*  0. 

Pr(AlB)  is  meaningless  (con- 
tradiction in  terms) 
if  Pr{B  } - 0. 

mutually  Two  events  are  mutually  ex- 
exclusive elusive  if  and  only  if  they  have 
no  sample  points  in  common; 
e.g.,  A and  B are  mutually  ex- 
clusive if  and  only  if  APB  = @. 

exhaustive  A set  of  events  is  exhaustive  if 
and  only  if  the  union  of  the 
events  contains  all  sample 
points  in  the  sample  space; 
e.g.,  A,  B,  C are  exhaustive  if 
AUBUC  = S2. 

partitioning  A set  of  events  is  a partition- 


(A)  Complement  (B)  Intersection  (C)  Union 
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Q.  = 1 through  23 
A » 1 through  5,  7 , 12 
5 s 5,  6,  8 through  12' 

Cs  8,  9,  12  through  15,  18  through  20 
D = 22,  23 


-\ 


> Definitions 


Examples  of  Set  Relationships 


AC\B 

= 5,  12 

A - 6 , 8 through  11, 13  through  23 

BnC 

= 8,  9,  12 

B = lthrough  4,  7,  13  through  23 

CnA 

= 12 

C =1  through  7, 10, 11, 16, 17, 

AnBnc 

= 12 

21  through  23 

AnD 

= 4> 

D =1  through  2 1 

BnD 

= 4> 

Ar\D  = 22,23 

CnD 

= 4> 

DCA 

DC(Ar\B) 

D<J(BC\C)=  13  through  15,  18  through  20 

226L D 

FIGURE  2-2.  Example  Event  Relationship  for  4 Events 
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ing  of  the  sample  space  if  and 
only  if  the  events  are  all  mutu- 
ally exclusive  and  the  set  is  ex- 
haustive. (The  name  comes 
from  the  way  a set  of  parti- 
tions breaks  up  a room  into 
smaller  rooms,  each  of  which 
is  separate;  but  every  part  of 
the  original  room  is  in  some 
smaller  room.) 

Denotes  the  complement  of  an 
event;  e.g.,  A is  the  comple- 
ment of  A . 

Complement  The  complement  of  an  event 
contains  all  the  sample  points 
in  the  sample  space  which  are 
not  in  the  event.  A formal  def- 
inition is  B = A if  and  only  if 
AUB  = Q.  and  ACS  = 4>. 

Beware  of  the  comma,  it  is  not 
ordinarily  a defined  symbol. 
Often  intersection  is  meant, 
but  one  can't  be  sure. 

Pr{v  } Probability  of  the  event  to  the 

left  of  the  The  events  or 
parameters  to  the  right  of  the 
semicolon  are  known.  The 
notation  is  often  used  for 
emphasis  or  as  a reminder.  It  is 
similar  to  Pr{*|*  } except  that 
the  event  to  the  right  of  the 
is  a random  one,  whereas 
the  event  or  parameters  to  the 
right  of  the  are  certain 
(known  exactly). 

E a £ B means  that  a is  a sample 

point  of  B. 

C A C B means  that  .4  is  a subset 

of  2?;  viz.,  all  sample  points  of 
A are  also  in  B,  but  all  sample 
points  of  B need  not  be  in  A. 

2-2.3  RULES,  LAWS,  AND  DEFINITIONS 
FOR  EVENTS 


Let  A,  B,  C be  any  events. 

AUA  = Q, 

(2-1) 

AHA  = 4> 

(2-2) 

AUA  = A 

(2-3) 

AHA  = A 

(2-4) 

AUB  = BUA  (2-5) 

ADB  = BC\A  (2-6) 

AU(BUC)  = (AUB)UC  = AUBUC  (2-7) 

ACi(5nC)  = (AHB)nc  = AnBDC  (2-8) 

AU(BHC)  = (AUB)O(AUC)  (2-9) 

AH(BUC)  = (AflB)U(AnC)  (2-10) 

(AUB)  = ACS  (2-11) 

O^f^UB  (2-12) 


2-2.4  RULES,  LAWS,  AND  DEFINITIONS 

FOR  PROBABILITIES 

Let  A ,B,  C be  any  events;  and  let 

Aiti=  1,...,  Na  be  a partitioning  of  A. 

(The  A i are  mutually  exclusive 
and  exhaustive.) 

B,,  i = 1,...,  Nb  be  a partitioning  of  B. 

(The  Bf  are  mutually  exclusive 
and  exhaustive.) 

a},j  = 1,...,  M be  the  sample  points  in  A. 

Et,  i ~ 1,  ....  Ne  be  any  N events. 


Pr{A}=^  Pria,}  (2-13) 

0<Pr{A}<l  (2-14) 

Pr  {<*>}  = 0 (2-15) 

Pr{Sl}=  1 ■ (2-16) 


Pr{AUB}=  Pr{A}+Pr{B}~  Pr{ADB}  (2-17) 

Pr(AUBUC)  = Pr{A  } +Pr{B}  +Pr{C} 

- Pr{AnB}~Pr{Bnc } 

- Pr{CnA } +Pr{AC\Br\C} 

(2-18) 

Pr{A\B}=  Pr{Ar\B}/  Pr{B}  for  Pr{B}*  0 

(2-19) 


Pr\E1  uB2u  • • • uB^  | 2 Mi?|} 

i=  1 

NE  i-1 

i=  1 1 

NE  i- l 1-1 

+ E E E Pr{EpEpEk] 

i'=l  ;=  1 * « 1 

- ± Pr{E1DE2n  •••  nEN}  (2-20) 
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The  first  term  in  Eq.  2-20  is  an  upper 
bound;  adding  terms  in  succession  provides  an 
alternating  series  of  bounds  which  get  increas- 
ingly better,  util  exactness  is  reached  when 
all  terms  are  used. 

Er{AnB}  = Pr{A\B}Pr{B}=  Pr{B\A}Pr{A} 

(2-21) 

Eq.  2-21  is  a form  of  Bayes'  Theorem. 

Pr{AnBnC}  = Pr{A\(BnC)}Pr{B\C}Pr{C } 

(2-22) 

"a 

Pr{A}=  X Pr{At}  (2-23a) 

i=  1 

Pr{A}=  Y.  Pr{A\Bj}Pr{Bj}  (2-23b) 

;'=  l 

Pr{B\Ai}Pr{Ai) 

PrU,.|5}=  — (2-24) 

E Pr{B\Aj } Pr  [Aj } 
l 

Eq.  2-24  is  a form  of  Bayes'  Theorem. 

2-3  s-INDEPENDENCE 

There  are  several  equivalent  definitions  of 
s-independence.  From  an  engineering  point  of 
v^ow.  ;he.  most  satisfactory  defm.it.' is  Eq. 
2-2  c 

A and  B are  s-independent  if  and  only  if 
Pt{A\B}=  Pr{A\B}  = Pr{A} . (2-25) 

That  is,  the  probability  of  A is  the  same  re- 
gardless of  whether  we  know  that  B has 
occurred,  or  has  not  occurred,  or  we  do  not 
know  about  B - B just  doesn't  make  any  dif- 
ference. There  are  several  equations  that  are 
logically  equivalent  to  Eq.  2-25,  each  imply- 
ing the  others.  (The  second  equation  in  Eq. 
2-25  actually  is  implied  by  the  first  one.)  The 
most  satisfactory  definition  from  a statistical 
point  of  view  is  Eq.  2-26. 

A and  B are  s-independent  if  and  only  if 
Pr{AnB}=Pr{A}  Pr{B}.  (2-26) 

Eq.  2-26  is  defined  even  for  Pr{  B}  = 0 or  1 
whereas  Eq.  2-25  is  not.  The  extension  to 
more  than  two  events  is  easier  with  Eq.  2-26. 


N events  are  s-independent  if  and  only  if 
for  every  intersection  of  events  taken  2,  3, ..., 
N at  a time,  the  probability  of  the  intersec- 
tion of  those  events  is  the  product  of  the 
probabilities  of  the  individual  events.  This  can 
be  a complicated  concept;  see  the  Bibliogra- 
phy at  the  end  of  Chapter  1 for  a further 
discussion. 

Example. 

Suppose  there  are  2 units  (from  one  popu- 
lation) in  a subsystem  and  both  must  fail  for 
the  subsystem  to  fail.  If  the  probability  of 
failure  of  each  is  0.200  and  the  probability  of 
subsystem  failure  is  0.200  X 3.200  = 0.0400, 
then  the  failure  events  are  s-independent. 
Even  if  the  probability  of  subsystem  failure 
were  0.0404  (e.g.,  l'Ttabove  the  0.0400  fig- 
ure),  the  failure  events  could  be  considered 
s-independent  for  engineering  purposes. 

Suppose  that  the  probability  of  failure  of 
each  unit  is  1.00  X lCf3  and  the  probability 
of  subsystem  failure  is  1.00  X 10"6  ;then  the 
failure  events  are  s-independent.  But  if  the 
probability  of  subsystem  failure  were 
0.000401  (0.O004  more,  just  as  in  the  pre- 
ceding paragraph),  the  fzilure  evrnts  would  in 
no  way  be  s-independent.  When  failure  proba- 
bilities are  very  small,  one  must  be  very  care- 
ful not  to  ignore  events  whose  probabilities 
might  ordinarily  be  neglected. 

2-4  CONDITlONALs-lN  DEPENDENCE 

A very  important  concept  is  conditional 
s-independence;  i.e.,  two  (or  more)  events  can 
be  conditionally  s-independent,  given  a par- 
ticular event.  All  general  theorems  on  proba- 
bilities are  valid  also  for  conditional  probabil- 
ities with  respect  to  any  particular  event  Cr 
Thus  Sq.  2-25  becomes 

PKAltBnc,)^  PrUl(5nC;)}  (2-27) 
= Pr{A\Ci } 

and  Eq.  2-26  becomes 

Pr{AnS  |Cj  }=  Pr{A|Cj } Pr{B\Ci } . (2-28) 

In  many  engineering  situations,  if  two  events 
A and  B (say,  failures)  are  not  s-independent, 
they  will  be  conditionally  s-independent, 
given  each  event  of  a set  of  events  which  is  a 
partitioning  of  the  sample  space. 
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Example. 

aoo$”  Aa  events  that  unit  UA  is  failed  or 


pendent  as  shown  by  the  calculations  in  Table 
2-3.  Eqs.  2-28  and  2-19  are  used  in  the  calcu- 
lation. 


B,,  Bg  events  that  unit  UB  is  failed  or 
good 

Let  the  sample  points,  events,  and  associated 
probabilities  be  as  shown  in  Table  2-1.  The 
probability  of  each  event,  as  shown,  is  the 
s u m of  the  probabilities  of  each  of  the  sample 
points  in  the  event. 

Are  the  events  Ap,  BF  s-independent?  To 
find  out,  use  Eq.  2-26. 

Pr{AFDBF}  = Pr{(afbf)}=  0.158 

Pr{AF}  X Pr{BF}=  0.250  X 0.380 
= 0.095 

They  are  not  the  same  (0.158  ^ 0.095);  so 
the  events .4,,  BF  are  s-dependent. 

Suppose  there  are  two  possible  environ- 
ments, light  (eventf?,  ) and  severe  (events,  ), 
and  that  the  new  sample  space,  events,  and 
probabilities  are  as  shown  in  Table  2-2.  The 
events  AF  and  BF  are  conditionally  s-inde- 


TABLE  2-1.  SAMPLE  SPACE  FOR  EXAMPLE 


0.620 

bf 

0.380 

Ac 

agbg 

V/ 

0.750 

0.528 

0.222 

Ap 

afbg 

3fbf 

0.250 

0.092 

0.158 

The  number  associated  with  each  of  the  4 sample 
points  (fgvg,  agbf,  afbg,  afif)  is  the  probability  of 
that  sample  point. 

The  events  are  defined  as  AG  = [aJ}„,  aJjA 

AF 

Bg  9 [agbg,  afbi ) 
Bp  = (a^bf,  afbf) 


The  conditions  under  which  events  are 
conditionally  s-independent  are  sometimes 
called  common-modes,*  and  the  failures 
which  result  from  severe  common-modes  are 
called  common-mode  failures.  This  phenom- 
enon is  so  important  it  will  be  illustrated  with 
another  example. 


Example,  Common  mode  (cause)  failure: 
Notation : 

Ap,  Bp  = faiiure  events  of  units  UA 

and  Up. 


= AFr\BF,  failure  event  of 
= the  system  3. 

BBr^HT^ET  - a partitioning  of  the  sam- 
ple space:  event  of  a Be- 
nign Environment,  a High- 
Temperature  Environment, 
and  an  Electrical-Transient 
Environment. 


Given:  The  events  AF,  BF  are  conditionally 
s-independent,  given  Et  ( i = B,  HT, 
ET). 

Pr{AF\EB  } = Pr{BF\EB  } = 6 X lCT*  , 
Pr{EB } = 0.9976 

Pr{Ap\Em}  =Pr{BF\EHT}=  1 X 10'2  , 
Pr{EHT  } = 2 X 10'3 

Pr {A F\E Ej. } = Pr  {Bf\Eef  } = 1 X 10  1 , 
Pr{EET  } = 4 X 10"4 

Cursory  inspection  of  the  data  shows  that  UA 
and  UB  are  quite  reliable  if  the  environment  is 
benign,  and  that  nonbenign  environments  are 
rare.  We  first  calculate  the  unconditional  fail- 
ure probability  for  UA  and  U8  (see  Table 
2-4).  It  is  negligibly  different  from  the  benign 
conditional  failure  probability.  This  leads  us 
to  believe,  reasonably  enough,  that  the  effects 

of  the  nonbenign  environments  are  negligible. 

But  then  we  calculate  the  probabilities 
that  both  UA  and  UB  are  failed  (see  Table 
2-4).  The  situation  is  now  quite  different;  one 
of  the  nonbenign  environments  is  most  impor- 
tant. 

•Now  called  "common-cause." 
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TABLE  2-2.  SAMPLE  SPACE  FOR  MODIFIED  EXAMPLE 


*G  EL 
0.560 

BF  El 
0.140 

ag  el 

pill 

■n 

0.504 

H 

afel 

p21 1 

p221 

0.070 

0.056 

0.014 

El 

0.700 

bg  es 
0.060 

bfes 

0.240 

Aq  es 
0.120 

m 

Af  ES 
0.1  80 

p 2 1 2 

0.036 

m 

El  = (p111,p121,p211,  p221);AG  = (p111,p121,p112,p122);5G  = (p111,p211,p112,p212: 
Es  = (pi  12,  p122,p212,p222);  Ayr  = (p211,p221,p212,p222);5y:  = (p121,p221,p122,p222> 


Explanation  of  notation  for  : 

i position  reserved  for  event  A 
j position  reserved  for  event  6 
k position  reserved  for  event  £ 

1 = "good"  for  events  A and  B 

2 = "fail"  for  events  A and  B 

1 = "light"  for  event  E 

2 = "severe"  for  event  E 
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TABLE  2-3.  CALCULATIONS  TO  SHOW  EVENTS -4^  AND  Bp  ARE  CONDITIONALLY  s-INDEPENDENT 


Procedure 

1.  State  the  sample  space  events,  and  their  probabilities. 


Example 


1.  See  Table  2-2. 


2 State  the  events  to  be  tested  for  conditional  s-indepen-  2.  Ap,  Bp  to  be  conditionally  s-independent 

E^,  E$  are  the  conditions. 


dence  and  the  conditions. 


Qtcs  ta  +h»o  oni  iQ|irvnc  +ac-+ci/~l 

PrxA^BnCj  Pr{A\Cj  ]Pr\B\Cj . 


(2-28) 


3.  Pr{(ApnBp)\£j}=  PriApiBj  }Pr{Bp\£j}  for/  - L,  S 


4 Use  the  definition  of  conditional  probability  to  find  each  4 Pr{i.Apr,Bp)\£.  } = Pr{ApnBpT\£-}l  Pr{Ej  } (2-29) 


of  the  probabilities. 

Pr{A\Br  Pr{AnB  }/  Pr\B  }for  Pr{B }#0 


(2-19) 


Pr  {Ap\£j } = Pr  {A pn£j  }/  Pr  [£/  } ( 2-30) 

Pr  \Bp\Ej  } - Pr  [BpPE, }/  PH£;  } for  / - L , S (2-31 ) 


5.  Find  the  sample  points  in  each  of  the  intersections.  5.  ApPBpPE^  = (p221 ) 

A pPBpCiEg  **  (p222) 

AfPEl  = (p211,p221) 
ApPEs=  (p212,p222) 
BFPEL  = (p121 , p221 1 
BpPEs=  (p122,p222) 


6 Find  the  probabilities  by  adding  the  probabilities  of  the 
sample  points. 


6.  Pr  {A  FnBFn  El  }=  0.014 
Pr{AFnBFn.Es}  = 0.144 
Pr{AFnEL  } = 0.056  + 0 014  - 0.070 
Pr{AFnEs}  « 0.036  + 0.144  - 0.180 
Pr{BF-\EL  } = 0.126  + 0.014  = 0,140 
Pr[BFnEs}  = 0.096  + 0.144  = 0.240. 

Pr{EL  } = 0.504  + 0.126  + 0.056  + 0.014  - 0.700 
Pr{Es  } = 0.024  + 0.096  + 0.036  + 0.144  = 0.300 


7.  Calculate  the  conditional  probabilities. 
Pr{UFnBF)iEi} 

= Pr  [A  FnBFrE/  }/  Pr'\Ej  } 

Pr{AF\Ei  } = Pr  [ApPE,-  }/  Pr{Ej  } 

Pr  [8  p\Ej}  = Pr  {BpPEf  }/  Pr  {£  j } for  / = L.  S 


7.  Pr{(AFPBF)\EL  = 0.014/0.700  = 0.020 
Pr{ApPBF\Es } - 0.144/0.300  = 0.480 
(2-29)  pr{Ap\EL  } = 0.070/0.700  = 0.100 
(2-30)  Pr{AF^s 7 * 0.180/0.300  = 0.600 
(2-31)  pr{BFl£L  / * 0.140/0.700  = 0.200 
Pr{Bp\Es}  = 0.240/0.300  = 0.800 


8.  Check  the  equations  i n step  3.  fori  = L: 

0.020  = 0.100  X 0.200  = 0.020  yes 

for  i = S: 

0.480  =0.600  X 0.800  = 0.480  yes 

The  events  AF,  Bp  are  conditionally  s-independent,  given  each' of  the  conditions  EL,  E§.  As  shown  in  the  previous  example  Ap, 
*F  are  not  (unconditionally) s-independent. 
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In  systems  which  use  redundancy  to 
achieve  veiy  high  reliability,  the  importance 
of  common-mode  failures  often  is  overlooked 


completely.  The  key  nature  of  conditional  s- 
independence  ought  always  to  be  in  the  an- 
alyst's mind  when  he  uses  redundancy. 


TABLE  2-4.  COMMON  MODE  (CAUSE)  FAILURE  CALCULATIONS 


Procedure 

1 . Calculate  the  Pr  \Ap  } 

Adapt 

"B 

Pr  {a}  = {<41  Bj)Pr{Bj)  <2-23b) 

/=  1 


Example 

3 

1.  Pr{Ap  }-  Yjpr^  p\Ej } Pr  {£/ } (2-32) 

/-I 

(6  X 10"*)  X 0.9976  + (1  X 10")  X (2  X 1 0~3 ) 

+ (1  X 10"')  X (4X  10"* ) » 6.59  X 10'* 


2.  Calculate  Pr{Bp  } 2.  Pr{Bp}  = Pr{Ap}~  B.59  X 10'*  because  A p and  B p are 

interchangeable  in  the  probabilitiesas  given. 


The  unconditional  probabilities  differ  from  the  benign  conditional  ones  by  less  than  10%.  (In  practice  rarely  isa  low  probability 
of  failure  known  as  accurately  as  within  ± 10%. ) 


3.  Calculate  the  conditional  probabilities  of  ApC\Bp.  Adapt 
Eq.  2-28.  Pr{ApT\Bp)\Ej}=  Pr  {a p\Ej}Pr  {Bp\Ej}, 

for / - B.  HT,  ET. 

4.  Calculate  Pr{ApPBp  }. 

Adapt  Eq.  2-23b. 

5.  Calculate  Pr{Ap}  Pr{Bp  } 


3.  Pr{{Ap<^Bp)\E8}=(5X  10'*  )2  = 0.00036  X 10'3 
Pr{(AFnBp)\EHT}=  (1  X 10")5  = 0.1  X 10'3 
Pr({ApOBp)\EET}*  (1  X 10"’  )2  = 10  X 10'3 

4.  Pr{ApDBp}  = (0.00036  X 10'3)  X 0.9976  + (0.1  X 1 0'3 ) 
X (2  X 1 0'3 ) + (10  X 10'3)  X (4  X 10"*)  = 0.36  X 10" 

+ 0.200  X 10"*  + 4 X 10“*  = 4.56  X 10** 

5.  Pr  {A  p}Pr  {B  p)  = (6.59  X 10‘*)J  = 4.34  X 10" 


From  step  4 it  is  seen  that  virtually  the  only  "cause"  of  system  failure  is  the  common-mode  Electrical  Transient  Environment. 
From  step  5,  it  is  seen  that  if  (unconditional)s-independencewere  to  have  been  assumed,  the  failure  probability  of  the  system 
would  have  been  underestimated  by  a factor  of  10. 
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2-5  DISTRIBUTIONS 

Very  often  the  sample  space  is  a subset  of 
the  integers  (or  can  be  put  into  1 - 1 corre- 
spondence with  some  of  the  integers),  and  the 
probability  to  be  assigned  to  a sample  point  is 
a function  of  the  integer  which  corresponds 
to  the  sample  point.  The  probability  mass 
function  (pmf)  is  the  function  which  assigns  a 
probability  to  each  sample  point.  This  is  illus- 
trated in  Table  2-5. 

2-5.1  RANDOM  VARIABLES 

When  the  sample  space  is  associated  with 


the  integers,  it  is  convenient  to  introduce  the 
notion  of  random  variable.  For  example,  the 
events  C,  and  E,  in  this  chapter  are  random 
variables,  and  the  probability  of  the  event 
depends  on  the  integer  i A variable  is  a ran- 
dom variable  if  the  uncertainty  involved  with 
it  is  important,  i.e.,  if  probabilities  need  to  be 
associated  with  it.  This  is  an  engineering 
decision;  for  example,  the  lengths  of  posts  to 
be  driven  in  the  ground  might  not  be  con- 
sidered random  even  though  they  had  a 
spread  of  ± 10%,  whereas  the  diameters  of 
ball  bearings  would  probably  be  random  vari- 
ables if  their  spread  was  ± 1%. 


TABLE  2-5.  DISCRETE  DISTRIBUTIONS 


Binomial 

Poisson+ 

parameters 

px.p2,n 

(px  + p2  = 1) 

M 

random  variables 

nfn2 

(nl  + n2~  N) 

n 

pmf 

N\  PlP2 

n | _ , PlP2 

nx\n2  ! 

n ! 

mean  p 

P\N,  p2N 

P 

variance  a2 

PxP2n 

M 

3rd  central  moment  Mz 

Npxp2  (p2  - px) 

P 

4th  central  moment  MA 

Np1p2(3Np1p2  - 6pxp2  + 1) 

p(3p  + 1) 

o 

coefficient  of  variation  — 

P 

(-) 

if* 

M, 

coefficient  of  skewness  — — 

a3 

P’1  ~ Pi 
{Npxp2)* 

excess  coefficient  of  kurtosis 

^1-3 

6 , 1 

0* 

N T Npxp2 

P 1 

"As  is  customary,  the  symbol  p (for  mean)  is  used  for  the  parameter  because  the  param- 

eter  happens  to  be  the  mean. 

This  is  also  done  in  the  s-normal  distribution 
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There  is  nothing  mysterious  about  ran- 
domness and  random  variables.  If  you  need 
something  to  be  a random  variable,  it  is;  if 
you  don't  need  it  to  be,  it  isn't. 

2-5.2  MOMENTS 

Random  variables  with  pmf's  have  mo- 
ments. The  two  conventional  points  about 
which  to  take  moments  are  the  origin  and  the 
mean;  when  taken  about  the  mean,  they  are 
called  central-moments.  The  second  moment- 
about-the-mean  is  the  variance  (square  of  the 
standard  deviation). 

The  nth  moment,  about  the  origin,  of  * is 
the  s-expected  value  of  xn  ; 

E{xn  }=  S xfpmf  {*,-}  (2-33) 

i 

where  S implies  the  sum  over  the  domain  of 
x,.  (It  is  presumed  that  the  series  converges 
absolutely;  if  not,  a textbook  ought  to  be 
consulted. ) 

The  nth  moment,  about  the  mean,  of  x is 


the  s-expected  value  of  (x  — p)n  : 

E{(x  -p)n  }=  2 (xf  - p)n  pmf  {x,  } 

(2-34) 

where  ,u  = E {x }. 

2-5.3  TWO  DISTRIBUTIONS 

Two  common  discrete  distributions  are 
the  binomial  and  Poisson.  Table  2-1  gives 
their  definitions  and  properties.  The  Poisson 
distribution  is  often  used  as  an  approximation 
for  the  binomial  distribution;  it  is  usually  ade- 
quate if  the  Poisson  probability  ^ pmf\n } 
is  negligible.  n=.v+i 

The  adaptation  (in  most  places)  can  be 
made  mechanically  as  follows: 

p1N  -*  p 
. N -*  00 
P2  1 
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CHAPTER  3 REVIEW  OF  ELEMENTARY  PROBABILITY  THEORY 

(CONTINUOUS) 


3-0  LIST  OF  SYMBOLS 

C - Conditional  event 
C df { } = Cumulative  distribution  function 
Cov{ } = Covariance 
E { } = s-  Expected  value 
fix)  =pdf(X } 

= ith  central  mordent 
pdf{ } = probability  density  function 
Pr{}  = Probability  of 

s-  = denotes  statistical  definition 
Sf{  } = Survivor  function 
Var{ } = Variance 

x,y,z  = particular  values  of  X,  Y (also  used 
as  subscripts) 

X,  Y,Z  = random  variables 
p = mean 

a = standard  deviation 
Jx  - integral  over  the  domain  of  X 

3-1  INTRODUCTION 

When  the  sample  space  is  continuous  rath- 
er than  discrete,  the  theoretical  basis  of  prob- 
ability theory  can  become  much  more  sophis- 
ticated. However,  many  relatively  simple 
problems  can  be  solved  by  a straightforward 
extension  of  the  concepts  in  Chapter  2.  Only 
those  straightforward  concepts  are  discussed 
in  this  volume.  Those  who  need  more  ad- 
vanced concepts  ought  to  consult  the  Bibliog- 
raphy in  Chapter  1. 

The  concept  of  probability-density  needs 
to  be  introduced.  It  is  analogous  to  physical 
density  functions,  where  continuous  variables 
are  being  used.  For  example,  a 10-ft  long  uni- 
form bar  which  weighs  200  lb  has  a density  of 
(2001b)/(  10  ft)  = 20  lb/ft.  It  is  not  meaning- 
ful to  talk  about  the  weight  of  a point  along 
the  bar,  only  the  weight  between  two  points. 
If  the  bar  is  nonuniform,  then  the  density 
changes  from  point  to  point  along  the  bar. 

Probability  densities  can  be  very  mislead- 
ing because  of  possible  transformations  of  the 
variables.  For  example,  if  a random  variable 
has  a uniform  (constant)  probability  density. 


the  logarithm  of  that  random  variable  will 
NOT  have  a uniform  probability  density. 

The  basic  rules  for  probability  are  quite 
similar  to  those  for  the  discrete  case,  but  the 
notation  is  usually  somewhat  different. 

3-2  BASIC  PROBABILITY  RULES 

3-2.1  SAMPLE  SPACE,  EVENT 

The  sample  space  is  the  domain  of  the 
random  variable  (i.e.,  the  values  that  can  pos- 
sibly be  assumed  by  the  random  variable)  or 
the  domains  of  the  several  random  variables. 
For  example,  the  strength  of  a metal  has  the 
domain  (0,«=). 

An  event  is  the  occurrence  of  some  por- 
tion of  the  sample  space.  For  example,  an 
event  might  be  “Strength  > S0  ” where  S0  is 
some  constant.  Figure  3-1  shows  seme  set 
rules  for  continuous  space. 

3-2.2  NOTATION  AND  DEFINITIONS 


Notation 

Definition 

capital  letter 

The  name  of  a random 
variable. 

lower  case  letter 

A specific  value  of  the 
random  variable. 

Pr{'  } 

Probability  of  the  event 
in  the  { };  e.g., 

Pr{X  <:  x } = probability 
of  the  event  X < x 

Conditional  probability; 
probability  of  the  event 
to  the  left  of  the  i,  given 
that  the  event  (condi- 
tion) to  the  right  of  the  i 
has  occurred. 

Pr 

Probability  of  the  event 
to  the  left  of  the  semi- 
colon. The  events  or  pa- 
rameters to  the  right  of 
the  semicolon  are  known. 
The  notation  is  often 
used  for  emphasis  or  as  a 
reminder. 
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(A)  Union  of  X and  Y (written  X U Y) 


(B)  Intersection  of  X and  Y (written  X D Y) 


FIGURE  3-1.  Venn  Diagrams  Showing  Set 
Relationships 


Cdf{‘  } Cumulative  distribution 

function  of  the  variable 
inside  the  { };e.g.,  Cdf{X} 
= Pr{X<x}. 

pdf{ •}  Probability  density  func- 

tion of  the  variable  inside 
the  { };  it  is  the  derivative 
of  the  Cdf,  if  the  deriva- 
tive exists. 

Sf{‘  } Survivor  function;  Sf  {X} 

= Pr{X  > x}  = 1 - 
Cdf  {X}  for  continuous 
variables 

, both/and,  used  as  a 

symbol  analogous  to  in- 
tersection; e.g.,  it  is  used 
to  denote  a joint  pdf. 

; I Used  in  Cdf,  pdf,  Sf , etc., 

in  a fashion  and  with  a 
meaning  analogous  to 
that  for  Pr  {•  ;•  } and 

Pr{- 1*}. 


3-2.3  RULES,  LAWS,  AND  DEFINITIONS 
FOR  PROBABILITY  DENSITIES 

Let  X,  Y be  suitable  random  variables 
with  domains  (—»,«). 

pdf{X}>  0 (3-1) 

0 < Cdf{X}<  1 (3*2a) 

0 <Sf{X}<  1 (3-2b) 

Let 

f(x)  = pdf{X} 

Fix)  = Cdf  {X} 

8iy)  = pdf{Y } 

G(y)  = Cdf{Y) 
h(x,y ) = joint  pdf  of  X and  Y 
H{x,y)  = joint  Cdf  of  X and  Y 

then 

fix)  = marginalpdf  of  x 
Fix)  = marginal  Cdf  of  x 
giy)  = marginalpdf  of  y 
G(y)  = marginal  Cdf  of  y 

F{x)  = Hix,°°)  (3 -3a) 

Giy)  =H(«>,y)  (3 -3  b) 
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While  “h  or  H ” uniquely  determines  “ f or  F" 
and  “ g or  G”,  “f  or  F”  and  "g  or  G”,  unique- 
ly determining  “h  or  H”  is  not  true  because 
the  form  of  the  s-dependence  of  x and  y is 
not  then  known. 

3-2.4  TRANSFORMATION  OF  VARI- 
ABLES 

Let  X , Ybe  two  suitable  random  variables 

fix)  = pdf{X } 
g(y)  = pdf{Y] 
y * y(x) 

g(y)dy  = f(x)dx  (3-4a) 

g(y)=f(x)  I 37  I (3-4b) 

The  form  of  Eq.  3-4a  is  usually  easier  to  re- 
member. Variables  can  be  transformed  direct- 
ly, within  a C df , with  no  complications  at  all. 

3-2.5  CONVOLUTION 

Let 

1.  Z,  X,  Y be  suitable  random  variables 
with  domains  ( — ) 

2.  Z - X Y Y 

3.  w{z)=pdf{Z } 
fix)  =pdf{Y } 
g{y)=pdflY } 
h(x,y)  = pdf[X,Y} 

Then,  the  convolution  formula  is 
w(z)  =j^d{z  - y,y)dy  =J^h{x,z  - x)dx  ^ ^ 
,z  — x)dx 


XX  are  s-independent  random  variables  if 
and  only  if 

pdf{X,Y}  = pdf{X}pdf{Y}  (3-7) 

The  concept  is  the  same  for  conditional 
s-independence.  X,  Y are  conditionally  s-inde- 
pendent  random  variables  if  and  only  if 

pdf{X,Y]CI  = pdf{X\C)pdflY\C)  (3-8) 
where  C = a condition  (event). 

Conditional  s-independence  plays  a very 
important  role  in  reliability  calculations 
where  redundancy  is  involved. 

3-4  DISTRIBUTIONS 

In  reliability  engineering  the  most  com- 
mon domain  for  a random  variable  is  (0,  — ). 
Examples  of  variables  with  the  domain  (0,®°) 
are  strength,  time,  failure  rate.  In  many  cases 
where  the  domain  is  (— < »,=*),  the  probabilities 
associated  with  (— «°,0)  are  negligible  and  are 
included  only  to  simplify  the  mathematics. 
This  is  especially  true  for  the  s-normal  distri- 
bution wherein  negative  values  of  some  vari- 
ables are  physically  meaningless;  but  it  is  con- 
venient to  integrate  over  the  whole  real  line. 

Continuous  mathematical  distributions 
rarely  represent  physical  phenomena  over  the 
entire  domain  of  the  variable.  Usually,  how- 
ever, the  probabilities  associated  with  the  dis- 
turbing part  of  the  domain  are  negligible.  If 
they  are  not,  then  of  course,  the  model  must 
be  reformulated. 

34.1  MOMENTS 


If  X and  Y are  s-independent,  then  the  con- 
volution formula  is 

w(z)  =ff(x)g(z  - x)du  ~ff(z  — y)s(y)dy 

/•  oo  * 

=Jfiz  - y)s(y)dy 

3-3  s-INDEPENDENCE  AND  CONDITION- 
AL s-INDEPENDENCE 

The  notion  of  s-independence  is  analogous 
to  that  for  discrete  distributions. 


Random  variables  with  pdf's  have  mo- 
ments. The  two  conventional  points  about 
which  to  take  moments  are  the  origin  and  the 
mean;  when  taken  about  the  mean,  they  are 
called  central  moments.  Two  random  vari- 
ables can  have  joint  moments,  although  only 
the  second  is  used  practically.  Let  X be  the 
random  variable  and  fix)  = pdf {X}. 

The  nth  moment  (about  the  origin)  of  X 
is  the  s-expected  value  of  xn  : 

E{Xn  } = jT  xn  f{x)dx  (3. 9) 

where  X implies  the  integral  over  the  domain 
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of  X.  (It  is  presumed  that  the  integral  con- 
verges absolutely;  if  not,  a textbook  ought  to 
be  consulted.) 

The  nth  moment,  about  the  mean,  of  X is 
the  s-expected  value  of  ( X—  m )n  : 


E{(X-nY}=f* 
where  m = E {X}. 


(x-d)n  f(x)dx( 3-10) 


Let  X and  Y be  random  variables 


and 


f(x)  = pdf  {X  } 
g(y)  = pdf{Y] 
h(x,y)  = pdf[X,Y} 

Ms  =E{X} 

My  = E{y} 

then  Var {X}=  E{{x  — fi)2} 

(3-11) 


Cov{XT}s£<(x-Mj<y-*iy)} 

= L L (x  - nx  )(y  - My  )h{x,y)dxdy 

(3-12) 

The  linear-correlation  coefficient  is  defined  as 


cov(X.  Y) 
[Var{X}Var{  Y}]« 


(3-13) 


3-4.2  DISTRIBUTIONS  AND  THE  R PROP- 
ERTIES 

The  most  popular  distribution  for  time- 
to-failure  or  time-between-failures  is  the  expo- 
nential. There  are  two  reasons  for  this  popu- 
larity. 

1.  The  distribution  fits  many  data  with- 
out doing  too  much  violence  to  an  engineer- 
ing concept  of  goodness-of-fit. 


2.  The  failure  rate  is  a constant,  and  thus 
the  distribution  is  very  tractable. 

The  most  popular  distribution  for  mate- 
rial properties,  device  parameters,  and  gener- 
alized “stresses”,  “potentials”,  and  “currents” 
is  the  s-normal  distribution.  There  are  two 
reasons  for  its  popularity. 

1.  The  distribution  fits  many  data  with- 
out doing  too  much  violence  to  an  engineer- 
ing concept  of  goodness-of-fit. 

2.  The  distribution  is  so  tractable,  has  no 
parameters  for  the  basic  distribution,  and  con- 
volves into  itself. 

Most  distributions  can  be  transformed  in- 
to something  that  looks  different  by  a linear 
transformation  of  the  variable.  Custom,  more 
than  anything  else,  determines  what  the 
standard  form  is.  If  a linear  transformation X 
= aU  + b is  applied  to  a distribution,  the 
mean  and  variance  are  transformed  as  follows: 

E{X}=aE{U}+  b (3-14a) 

Var{X}=a2Var{C}  (3-14b) 

There  are  usually  several  ways  of  writing  the 
parameters  of  a distribution,  e.g.,  a scale 
parameter  can  be  used  in  the  form  \x  or  x/a 
(where  x is  the  random  variable  and  a,\  are 
parameters).  The  forms  in  Table  3-1  are  cho- 
sen to  be  useful  to  reliability  engineers. 
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CHAPTER  4 REVIEW  OF  ELEMENTARY  STATISTICAL  THEORY 


4-1  INTRODUCTION 

This  chapter  presents  some  of  the  statisti- 
cal concepts  which  are  useful  in  a reliability 
context.  The  Bibliography  at  the  end  of  Chap- 
ter 1 gives  elementary,  intermediate,  and 
advanced  texts  on  probability  and  statistics.  It 
is  not  the  purpose  of  this  chapter  to  write 
another  textbook  on  statistics. 

The  purpose  of  statistics  is  to  help  people 
analyze  real  data  and  draw  reasonable  conch- 
sions  from  them.  In  reliability  engineering, 
the  function  of  statistics  most  often  vUL  be  in 
showing  an  engineer  what  he  does  NOT  know 
from  the  data;  i.e.,  statistics  will  provide  an 
engineer  with  a feeling  for  the  uncertainty  in 
the  conclusions  he  wants  to  draw  from  the 
data. 

The  few  concepts  of  statistics  that  are 
important  in  reliability  ought  to  be  carefully 
learned.  It  is  better  not  to  use  them  than  to 
use  them  incorrectly. 

4-2  ESTIMATION  OF  PARAMETERS 

It  is  usually  convenient  to  summarize  a 
mass  of  data  by  stating  a distribution  from 
which  they  might  well  have  come.  This  usual- 
ly is  done  by  choosing  a distribution  (on  the 
basis  of  previous  ideas,  simplicity,  massaging 
of  the  data,  or  something  else)  and  then  esti- 
mating the  parameters  of  the  distribution. 
There  are  several  popular  methods  of  estimat- 
ing parameters;  they  are  not  detailed  here-but 
Part  Six, Mathematical  Appendix  and  Glossa- 
ry, shows  estimation  methods  for  many  of  the 
popular  distributions. 

The  important  thing  about  an  estimate  is 
its  properties,  not  how  you  got  it.  In  these 
days  of  readily  available  computers,  the  cost 
of  making  estimates  whose  properties  are 
good  and  well  known  is  negligible  compared 
to  the  cost  of  getting  the  original  data. 

4-2.1  s-EFFICIENT  ESTIMATOR 

For  engineers,  s-efficiency  is  what  estima- 
tion is  all  about.  Any  estimator  uses  a statis- 
tic; that  statistic  has  properties  such  as  a mean 
value  and  a variance.  The  s-efficiency  of  an 


estimator  is  measured  by  the  second  moment 
of  the  estimator  taken  about  the  true  value.  If 
the  estimator  is  s-biased  (par.  4-23),  then  this 
second  moment  is  “variance  + (bias)2”.  If  the 
estimator  is  s-unbiased  (zero  bias),  s-efficiency 
is  measured  by  the  variance  of  the  estimator. 
For  a fixed  sample  size,  the  smaller  the  vari- 
ance of  the  estimator,  the  more  s-efficient  it 
is. 

There  is  a lower  bound  to  the  variance  of 
an  estimator-the  Cramer-Rao  lower  bound. 
s-Efficiencies  often  are  measured  relative  to 
the  Cramer-Rao  lower  bound;  if  this  s-effi- 
ciency is  100  percent,  that’s  ass-efficient  as 
one  can  get.  Most  estimators  used  in  reliabili- 
ty work  are  quite  s-efficient. 

s-Efficiency  is  perhaps  the  most  desirable 
property  of  an  estimator.  It  tells  you  how 
good  or  bad  your  estimate  is  likely  to  be. 

4-2.2  s-CONSISTENT  ESTIMATORS 

An  s-consistent  estimator  is  one  which 
“approaches”  the  true  value  as  the  sample  size 
“goes  to  infinity”.  The  reason  for  the  quote 
marks  is  that  the  phrases  are  loose  expressions 
of  complicated  mathematical  concepts;  for  a 
more  exact  definition,  consult  a textbook. 
s-Consistency  is  a very  desirable  attribute  of 
an  estimator.  Virtually  all  estimators  in  use  in 
reliability  work  are  s-consistent. 

4-2.3  s-B  IAS 

s-Bias  is  the  difference  between  the 
s-expected  (mean)value  of  an  estimator  (for  a 
fixed  sampling  plan)  and  the  true  value.  It 
enters  the  measure  of  s-efficiency  (par.  4-2.1)  ; 
as  long  as  the  s-bias  is  less  than  about  50  per- 
cent of  the  standard  deviation,  the  contribu- 
tion of  the  s-bias  can  be  neglected.  Being  s-un- 
biased is  nice  for  theoretical  work,  but  it  is 
vastly  overrated  as  a criterion  for  goodness  of 
reliability  estimators.  The  main  reason  for  this 
is  that  if  8 is  an  s-unbiased  estimator  of  8,  f(9  ) 
is  an  s-biased  estimator  of  f{8 ) unless  /(• ) is  a 
linear  function.  The  most  widespread  misun- 
derstanding of  this  principle  is  involved  in  the 
estimate  for  the  variance  of  an  s-normal  distri- 
bution. The  S2  statistic,  S2  s SS/(N—  1) 
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—where  SS  is  the  sum  of  squares  of  deviations 
about  the  sample  mean,  and  N is  the  number 
of  items  in  the  sample— is  an  s-unbiased  esti- 
mator of  a2  (the  true  value  of  the  variance), 
but  S is  an  s-biased  estimator  of  a.  (The 
square  root  function  is  not  linear.)  Another 
example  is  1/A,  the  reciprocal  parameter  for 
an  exponential  distribution.  An  s-unbiased  es- 
timator for  1/A  is  the  sample  mean,  but  the 
reciprocal  of  that  estimator  is  an  s-biased  esti- 
mator of  X.  (The  reciprocal  is  not  a linear 
function. ) 

How  is  an  engineer  to  know  what  func- 
tion of  the  parameter  ought  to  be  s-unbiased? 
He  doesn’t.  In  general,  reliability  engineers 
can  ignore  s-bias  cf  estimators;  they  need  only 
be  concerned  about  s-efficiency. 

4-2.4  UNCERTAINTY 

Any  estimates  of  parameters  ought  to  be 
accompanied  by  an  estimate  of  the  uncertain- 
ty involved.  Two  common  methods  of  indi- 
cating uncertainty  are  the  covariance  matrix 
and  s-confidence  intervals.  The  reliability  en- 
gineer need  not  know  how  to  get  them,  only 
how  to  use  them. 

4-3  TESTS  OF  s-SIGNI  FICANCE 

The  most  important  thing  about  s-signif- 
icance  is  what  it  isn’t;  it  is  not  “engineering 
importance”.  s-Significance  is  concerned  with 
tests  that  are  run  to  see  if  one  thing  is  differ- 
ent from  another.  A statistical  model  is  for- 
mulated and  measurements  (tests)  are  made 
on  the  sample(s)  to  measure  the  difference  in 
the  items  of  the  sample.  For  example,  does 
heat-treating  method  A produce  better  fatigue 
properties  than  heat-treating  method  B?  Usu- 
ally the  statistical  hypothesis  is  made  that 
there  is  no  difference.  Then  the  statistical  dis- 
tribution of  the  test  statistic  is  calculated.  In 
the  example,  the  test  statistic  might  be  the 
difference  in  average  fatigue-strengths  at  107 
cycles  of  stress.  The  value  of  that  test  statistic 
for  the  sample(s)  is  measured  and  compared 
with  the  distribution.  If  a value  as  large  as 
observed  would  occur  only  0. 1 percent  of  the 
time  or  less,  the  effect  (difference)  is  not  like- 
ly to  have  been  a chance  observation,  but  is 
likely  to  be  due  to  one  method  being  better 
than  another.  If  the  vaiue  of  the  test  statistic 


for  the  sample(s)  would  be  exceeded  40  per- 
cent of  the  time,  then  it  is  not  likely  that  c 
method  is  better  than  another.  The  perct 
tage  chosen  (0.1  percent,  40  percent,  etc.)  is 
called  the  s-significance  level,  in  practice,  en- 
gineers want  the  effect  to  be  s-significant at  a 
20  percent  level  or  less. 

Regardless  of  the  outcome  of  the  statisti- 
cal test,  the  engineer  wants  the  effect  to  be  of 
engineering  importance.  It  is  possible  to  take 
a sample  small  enough  so  that  no  matter  what 
the  actual  difference  is,  it  will  not  be  s-signifi- 
cant because  the  uncertainties  due  to  tco  few 
data  overwhelm  all  other  considerations.  On 
the  other  hand,  it  is  also  possible  to  take  so 
much  data  that  the  difference  will  be  s-signifi- 
cant, no  matter  how  small  the  effect.  Tests  of 
s-significance  suffer  from  being  equivalent  to 
point  estimates.  Engineers  would  rather  esti- 
mate the  difference  between  two  methods 
and  the  uncertainty  in  that  estimate.  This  pro- 
cedure is  discussed  in  par.  4-4  on  s-confidence 
statements. 

4-4  s-CONFIDENCE  STATEMENTS 

As  with  s-significance  there  is  an  imp 
tant  difference  between  the  engineering  a 
statistical  concepts.  s-Confidence  is  a statisti- 
cal concept  with  a very  special,  exact  mean- 
ing. Don’t  use  the  concept  without  under- 
standing that  meaning. 

An  example  statement  is  a good  way  to 
understand  the  concept. 

“The  true  improvement  in  fatigue 
strength  (method  B over  method  A)  lies 
between  —1.7  and  +10.9  kips/in.2  at  a 
90  percent  s-confidence  level.” 

The  90  percent  s-confidence  level  means  that 
90  percent  of  the  times  that  one  goes  through 
the  statistical  manipulations  as  done  for  this 
example,  the  resulting  statement  will  be  cor- 
rect; 1 0 percent  of  the  time  it  will  be  wrong. 
The  —1.7  and  +10.9  kips/in.2  are  called  the 
s-confidence  limits. 

For  a given  set  of  sample  measurements, 
the  higher  the  s-confidence  level  is,  the  wider 
the  s-confidence  limits  will  be. 

An  engineer  might  look  at  the  s-confi- 
dence  statement  and  say,  “Even  if  the 
provement  in  fatigue  strength  were  as  goo 
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the  top  limit,  it  wouldn't  be  too  useful.  We 
need  an  improvement  of  at  least  20  kips/in.2  ” 
There  is  probably  little  point,  then,  in  running 
more  tests.  However,  if  he  says,  “All  we  need 
is  5 kips/in.2  improvement.”  he  undoubtedly 
would  want  to  run  more  tests  to  pin  down  the 
improvement  more  exactly. 

s-Confidence  is  not  engineering  confi- 
dence, although  the  concepts  are  related. 

4-5  GOODNESS-OF-FIT  TESTS 

When  a particular  distribution  is  assumed 
to  represent  a set  of  data,  a natural  question 
arises,  “How  good  is  the  fit  of  the  distribution 
to  the  data?”  There  are  several  statistical  tests 
that  can  be  performed.  Some  are  peculiar  to 
the  distribution  itself,  and  some  can  be  ap- 
plied to  any  distribution.  The  two  most  popu- 
lar ones  for  application  to  any  distribution  are 
the  Chi-square  and  the  Koimogorov-  Smirnov 
tests. 

A goodness-of-fit  test  is  equivalent  to  a 
test  of  s-significance  (par.  4-3)  and  has  all  the 
difficulties  associated  with  s-significance  tests. 
That  difficulty --brie  fly --is  that  it  is  possible  to 
take  so  few  data  that  it  is  impossible  to  reject 
any  distribution,  and  it  is  possible  to  take  so 
many  data  that  every  distribution  will  be  re- 
jected. 

What  is  needed  is  a test  for  fit  that  an- 
swers an  engineering  question,  such  as,  “If  I 
use  this  distribution  for  interpolation,  how 
bad  will  my  answers  be?”  Unfortunately,  such 
tests  are  not  available.  Therefore,  a consider- 
able amount  of  engineering  judgment  must  be 
used  in  reckoning  goodness-of-fit. 

4-6  SAMPLES  AND  POPULATIONS 

In  practical  situations  the  population, 
about  which  statistical  inferences  are  to  be 
made,  is  determined  by  the  method  in  which 
the  sample  for  testing  was  drawn.  The  use  of 
historical  data  is  fraught  with  extreme  danger 
this  way.  For  example,  electrolytic  capacitors 
that  were  derated  to  50  percent  or  less  were 
more  reliable  than  those  derated  to,  say,  70 
percent  of  their  rating;,  results  iike  that  were 
obtained  in  reliability  studies  of  armed  forces 
equipment  in  the  1950’s.  Was  this  sample 
taken  from  all  kinds  of  designers,  or  was  it 
taken  from  only  a subset  of  designers?  For 


example,  if  the  designers  whose  equipment 
vbs  measured  were  such  that  conservative  de- 
signers put  electrolytic  capacitors  in  cool 
places  and  careless  designers  put  them  in  hot 
places,  the  population  of  designers,  does  not 
include  those  who  put  very  derated  electroly- 
tics  in  hot  places  nor  those  who  put  mildly 
derated  ones  in  cool  places. 

Probably  the  most  controversial  situation 
of  samples  vs  populations  concerns  the  rela- 
tionship of  cigarette  smoking  to  health.  Sam- 
ples were  taken  of  smokers  and  nonsmokers, 
etc.,  but  fern  what  population  were  the  peo- 
ple a statistically  random  sample? 

A more  frequently  occurring  difficulty  is 
testing  a small  sample  of  parts  and  then  im- 
plicitly hoping  that  the  small  sample  repre- 
sents the  population  which  will  be  obtained 
from  several  suppliers  month  after  month. 

For  really  important  tests,  the  engineer 
has  to  decide  what  are  the  possibly  important 
effects  and  then  find  an  appropriats  statisti- 
cian to  help  with  sampling. 

4-7  IFR  AND  DFR  DISTRIBUTIONS 

Sometimes  it  is  difficult  to  determine  a 
distribution  of  lifetimes  of  c unit.  It  may, 
even  then,  be  feasible  to  decide  that  the  fail- 
ure rate  c£  the  unit  is  always  increasing  (IFR 
-*■  Increasing  Failure  Rate)  or  always  decreas- 
ing (DFR  Decreasing  Failure  Rate).  If  a dis- 
tribution is  known  to  be  IFR  or  to  be  DFR, 
bounds  can  he  put  on  the  failure  behavior. 
One  of  these  bounds  is  provided  by  the  Con- 
stant Failure  Rate  distribution  and  its  associ- 
ated relationships. 

For  example,  the  Weibull  and  Gamma  dis- 
tributions (see  Table  3-1  for  notation)  are 
IFR  when  the  shape  parameter  |3  is  greater 
than  1 and  DFR  where  it  is  less  than  1.  Both 
have  constant  failure  rates  when  the  shape 
parameter  is  1.  The  s-normal  distribution  is- 
IFR;  the  lognormal  distribution  is  neither  (at 
fist  the  failure  rate  increases,  then  it  de- 
creases). 

A general  discussion  of  IFR  and  DFR  dis- 
tributions is  given  in  Ref.  1 ; DFR  distri- 
butions are  discussed  in  detail  in  Ref.  1. 
Bounds  on  reliability  parameters  are  given  in 
Refs.  2-5.  Refs.  6,  7 discuss  the  conditions 
under  which  systems: 
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1.  Made  up  of  IFR  elements,  are  them- 
selves IFR. 

2.  Made  up  c£  DFR  elements,  are  them- 
selves DFR.  Ref.  8 shows  how  to  test  a sam- 
ple to  see  if  it  comes  from  a distribution  with 
a monotonic  failure  rate,  and  if  so,  whether  it 
is  IFR  or  DFR. 

Even  though  this  mathematical  material  is 
available  in  the  literature,  it  is  not  clear  how 
valuable  it  can  be  to  the  reliability  engineer. 
An  experienced  statistician  ought  to  be  con- 
sulted before  applying  any  of  the  results.  The 
reliability  engineer  must  also  use  his  judgment 
in  deciding  how  much  less  stringent  the  re- 
strictions for  this  theory  really  are,  than  just 
to  blithely  assume  one  of  the  conventional 
distributions. 

Generally  speaking,  the  decisions  about 
hardware  will  not  be  radically  different  re- 
gardless of  which  of  several  distributions  is 
chosen  to  represent  the  life  of  the  units.  If 
that  conclusion  is  not  true,  then  the  engineer 
is  in  serious  trouble  because  he  needs  more 
information  than  he  has. 
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CHATTER  5 SOME  ADVANCED  MATHEMATICAL  TECHNIQUES 


5-0  LIST  OF  SYMBOLS 

n = number  of  states 
s-  = denotes  statistical  definition 
S,  = system-state  i 
t ~ time 

u = time  at  which  in-repair  unit  fails;  re- 
generation point 

\l7  = transition  rate  from  3t  to  S;- 

5-1  INTRODUCTION 

The  approach  to  reliability  wherein  transi- 
tion distributions  firm  one  state  to  another 
are  all  general  is  not  tractable,  because  there 
are  no  simple  instants  of  time  at  which  past 
history  can  be  ignored.  The  best  that  can  be 
done  in  the  general  case  is  to  give  a compli- 
cated algorithm  for  calculating  probability  of 
transition  at  any  time.  Therefore,  everyone 
uses  simplifying  assumptions  of  some  sort.  A 
few  of  the  mathematical  techniques  that  are 
useful  in  the  simplification  process  are  men- 
tioned here.  None  were  discovered  or  invent- 
ed for  reliability  analysis;  they  are  well-known 
(to  mathematicians)  techniques.  Refs,  land  2 
give  more  details  on  many  of  them.  Hand- 
books such  as  Ref.  6 also  show  these  and 
other  techniques;  Ref.  7 is  an  example  of  a 
textbook  which  teaches  some  of  these  tech- 
niques. 

5-2  MARKOV  PROCESSES 

There  are  several  kinds  and  generalizations 
of  Markov  processes,  but  only  the  most  sim- 
ple process  will  be  discussed  here.  For  more 
details,  see  Refs.  1 and  2 and  the  Bibliography 
at  the  end  of  Chapter  1. 

5-2.1  SYSTEM  STATE 

The  system  is  presumed  to  be  in  one  of  a 
set  of  states  and  can  go  from  one  state  to 
another.  The  state  of  a system  is  a description 
of  its  condition.  The  analyst  can  choose  the 
way  a state  is  characterized.  Consider  this 
example.  Suppose  a system  consists  of  three 
subsystems,  each  of  which- can  be  adequately 
described  by  one  of  the  following  four  condi- 


tions: Good,  Degraded,  Failed  waiting  for  re- 
pair, In  repair.  Further  suppose  that  the  state 
of  the  system  is  characterized  adequately  by 
giving  the  states  of  each  of  the  three  subsys- 
tems. Then  there  are  4 X 4 X 4 = 64  possible 
states  of  the  system.  A state  of  this  system 
consists  of  the  specification  of  the  states  of 
each  of  its  three  subsystems,  e.g.,  Good,  In 
repair,  Good.  When  the  state  of  a subsystem 
changes,  the  state  of  the  system  will  change. 

5-2.2  MARKOV  CHAINS 

Suppose  the  states  of  the  system  are  speci- 
fied, e.g.,  S1 , ...,  Sn  , then  there  are  n states.  It 
is  presumed  that  the  probability  of  going 
from  one  state  to  another  depends  only  on 
those  two  states,  and  no  others;  past  history  is 
wiped  out.  F or  any  two  states,  the  transition 
rate  is  a constant.  The  transition  rate  Xl7  from 
state  S;  to  state  Sj  corresponds  to  a failure 
rate  for  an  exponential  process  in  that  it  is  a 
ratio  of  a probability  density  function  to  a 
Survivor  function.  Many  of  the  X(;-  for  a sys- 
tem are  usually  zero,  because  certain  transi- 
tions are  not  possible,  by  the  very  nature  of 
the  particular  system.  In  the  example  in  par. 
5-2.1,  just  repaired  subsystems  might  always 
be  Good,  never  Degraded.  Then,  a subsystem 
could  never  go  from  “In-repair”  to  “Degrad- 
ed”, but  it  could  go  from  “In-repair”  to 
“Good”  or  from  “Degraded”  to  “In-repair”. 
The  Xl7  can  be  put  in  a matrix  form. 

Many  special  cases  have  been  worked  out 
in  the  literature.  Refs.  3-5  are  likely  sources 
of  material. 

Considerable  simplification  of  the  theory 
is  possible  when  only  the  steady-state  behav- 
ior of  the  system  is  of  concern,  not  the  &an- 
sient  (start-up)  behavior. 

In  practice,  the  number  of  system  states 
must  be  severely  limited  in  order  for  the  anal- 
ysis to  be  tractable. 

5-3  LAPLACE  TRANSFORMS 

The  Laplace  transform  is  perhaps  the 
most  popular  transform  for  engineers;  they 
use  it  often  in  solving  differential  equations 
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The  Laplace  transform  is  very  closely  related 
to  the  Laplace-Stieltjes  transform  and  to  the 
Fourier  transform.  The  Moment  Generating 
function  and  the  Characteristic  function  are 
also  related  to  the  Laplace  transform,  al- 
though statistics  texts  seem  rarely  to  point 
this  out.  (The  Characteristic  function  is,  for- 
mally, the  Fourier  transform;  and  the  Mo- 
ment Generating  function  is,  formally,  the 
Laplace  transform.)  The  Stieltjes  form  of  the 
Laplace  transform  has  fewer  difficulties  with 
“existence”  than  does  the  Laplace  transform, 
although  in  practical  reliability  work,  “exist- 
ence” of  integrals  and  pdf‘s  is  rarely  a diffi- 
culty. In  the  remaining  discussion,  the  phrase, 
Laplace  transform,  includes  all  the  related 
transforms  and  functions. 

The  Laplace  transform  changes  differenti- 
ation and  integration  into  multiplication  and 
division  by  the  transform-variable.  In  reli- 
ability analysis,  another  of  its  properties  is 
even  more  important.  The  Laplace  transform  • 
.of  the  sum  of  several  s-independent  random 
variables  is  the  product  of  the  individual 
Laplace  transforms  of  the  random  variables. 
Thus  convolution  Ls  transformed  to  multipli- 
cation. 

When  the  equations  of  the  system  are  ex- 
pressed in  Laplace  transforms,  the  steady 
state  [t  -*  «•)  behavior  can  be  found  easily 
without  inverting  the  transforms. 

The  Laplace  transform  of  the  answer  in  a 
reliability  problem  often  can  be  obtained  in  a 
closed  form,  albeit  usually  unwieldy.  The  dif- 
ficulty arises  because  inversion  is  rarely  fea- 
sible in  closed  form;  then  numerical  inversion 
must  be  used. 

5-4  REGENERATION  POINTS 

The  big  advantage  of  assuming  constant 
transition  rates,  is  that  every  time-instant  is  a 


regeneration  (renewal)  point.  Statistically 
speaking,  the  system  (when  in  a particular 
state)  has  no  memory  as  to  how  long  it  has 
been  in  that  state;  each  instant  is  just  like 
every  other  instant. 

If  general  statistical  distributions  are  used, 
this  is  no  longer  simply  the  case.  The  trick  In 
an  analysis  is  to  find  (or  invent)  some  time 
instants  which  have  this  regeneration  prop- 
erty; once  you  know  that  the  system  is  at  this 
time  instant,  its  past  history  can  be  forgotten. 
One  way  of  finding  suitable  regeneration 
points  is  to  introduce  an  extra  time  variable 
to  help  describe  the  state  of  the  system. 

For  example,  suppose  a system  of  two 
units  is  in  one  of  the  following  three  states: 

1.  One  unit  operating,  other  in-standby 

2.  One  unit  operating,  other  in-repair 

3.  One  unit  in-repair,  other  waiting-for- 
repair. 

The  unit  is  in  state  two  at  time  = t;  intro- 
duce the  time  = u at  which  the  in-repair  unit 
fails;  at  time  = 0 the  operating  unit  was  put 
into  operation.  With  u as  an  extra  variable, 
time  - u is  a regeneration  point;  the  state 
probabilities  do  not  depend  upon  the  history 
of  the  system  prior  to  u. 

Of  course,  the  introduction  of  extra  vari- 
ables complicates  the  analysis,  but,  at  least, 
some  equations  can  be  written  down.  This 
supplementary  variable  technique  is  used  in 
the  literature,  e.g.,  Ref.  5,  in  order  to  “solve” 
reliability  problems  where  random  variables 
have  unspecified  distributions.  Virtually  all 
problems  when  stated  this  way  will  involve 
the  sums  of  s-independent  random  variables; 
so  Laplace  transforms  will  ordinarily  be  used 
in  the  solution  of  the  problem  (see  par.  5-3). 

Ref.  7 discusses  renewal  theory  in  detail. 
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CHAPTER  6 CREATING  THE  SYSTEM  RELIABILITY  MODEL 


6-0  LIST  OF  SYMBOLS 


fe-out-of-n  :F 
fe-out-of-n:G 

MTF 

MTBF 


s- 


t 

X?,ZArB£,... 

% 

* 

AND,  OR 
A,V,°,D 


special  kind  of  system, 

see  par.  6-3.2 

special  kind  of  system, 

see  par.  6-3.2 

Mean  Time  to  _F allure 

Mean  Time  Between 

Failures 

denotes  statistical  defi- 
nition 

time,  time-to-failure 

events  or  elements  on  a 

dependency  diagram 

subsets  of  'k ; 'k  is  any 

event  or  set 

events  related  to  'k ; 'T 

is  any  event 

not  'k  complement  of 

'k;  'i'  is  any  event  or 

set 

logical  operators  (AND 
-*  H;  OR  -*■  U) 
symbolic  elements  for 
a dependency  diagram; 
see  par.  6-2.3. 1 


6-1  INTRODUCTION 

In  order  to  compute  the  reliability  meas- 
ures of  a system,  it  is  necessary  to  develop  a 
reliability  model  of  the  system.  A reliability 
model  consists  of  some  combination  of  a reli- 
ability block  diagram  or  Cause-Consequence 
chart,  a definition  of  all  equipment  failure 
and  repair  distributions,  a definition  of  the 
upstate  rules,  and  a statement  of  spares  and 
repair  strategies.  This  chapter  is  written  from 
the  point  of  view  of  reliability  diagrams,  be- 
cause historically  the  material  has  been  pre- 
sented that  way. 

A reliability  block  diagram  is  obtained 
fern  a careful  analysis  of  the  manner  in 
which  the  system  operates,  i.e.,  the  effects  on 
overall  system  performance  of  failures  of  the 
various  parts  that  make  up  the  system;  the 
support  environment  and  constraints,  includ- 
ing such  factors  as  the  number  and  assignment 
of  spare  parts  and  repairmen;  and  the  mission. 
Careful  consideration  of  these  factors  yields  a 


set  of  rules  (which  will  be  referred  to  as  “up- 
state rules”)  which  define  satisfactory  opera- 
tion of  the  system  (system  up)  and  unsatisfac- 
tory operation  (system  down),  as  well  as  the 
various  ways  in  which  these  can  be  achieved. 
If  a system  operates  in  more  than  one  mode,  a 
separate  reliability  diagram  must  be  developed 
for  each  one  (Refs.  1 and  2). 

A considerable  amount  of  engineering 
analysis  must  be  performed  in  order  to  devel- 
op a reliability  model.  The  engineer  proceeds 
as  follows. 

(1)  Develop  a functional  block  diagram 
of  the  system  based  on  his  knowledge  of  the 
physical  principles  governing  system  opera- 
tion and  behavior. 

(2)  Develop  the  logical  and  topological 
relationships  between  functional  elements  of 
the  system. 

(3)  Use  the  results  of  performance  evalu- 
ation studies  to  determine  the  extent  that  the 
system  can  operate  in  a degraded  state.  This 
information  might  bs  provided  by  outside 
sources. 

(4)  Define  the  spares  and  repair  strate- 
gies (for  maintained  systems).  The  spares 
strategy  defines  the  spares  allocated  to  the 
system  and,  in  the  case  of  multiple  failures, 
defines  the  order  in  which  spares  are  to  be 
used.  The  repair  strategies  define  the  number 
of  repairmen  and  the  order  in  which  they  are 
to  be  used  in  the  case  of  multiple  failures. 

This  chapter  presents  a description  of  the 
engineering  analysis  procedures,  mathematical 
block-diagramming  techniques,  and  other  pro- 
cedures used  to  construct  reliability  models. 

6-2  ENGINEERING  ANALYSIS 

6-2.1  INTRODUCTION 

Before  the  reliability  model  can  be  con- 
structed, the  system  must  be  analyzed.  A 
functional  block  diagram  and  a dependency 
diagram,  which  define  the  logical  and  topolog- 
ical relationships  between  functional  elements 
and  their  inputs  and  outputs,  must  be  devel- 
oped. These  diagrams  can  be  developed  for 
electrical,  electromechanical,  and  mechanical 
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systems  — the  underlying  principles  are  the 
same  for  allfRefs.  2 and  3). 

Basically,  the  functional  block  diagram 
must  contain  the  following  items: 

1.  A clear  identification  of  all  functions 
and  repetitive  functions. 

2.  Input-output  relationships  between 
functions.  For  electronic  systems,  this  takes 
the  form  of  signal  flow  from  input  to  output. 
Usual  and  alternate  modes  must  be  shown. 

3.  A clear  indication  of  where  power 
supplies  or  power  sources  are  applied  to  the 
system. 

4.  Description  of  switching  arrangements 
and  the  sequence  in  which  alternate  modes 
are  used. 

The  dependency  diagram  schematically 
represents  the  logical  interdependencies  of  the 
functional  elements  of  the  system  and  illus- 
trates step-by-step  how  an  input  is  processed 
to  produce  the  output  signal  or  mechanical 
action  (Refs.  2 and  4). 

Notes  and  attachments  can  be  used  to 
provide  more  detailed  information  on  a spe- 
cific system  than  can  be  portrayed  directly  on 
the  dependency  diagram.  An  alphameric  code 
ought  to  be  established  which  correlates  the 
dependency  diagram  with  the  functional 
block  diagram. 

The  reliability  block  diagram  for  the  case 
of  reliability  without  repair  can  be  derived 
directly  from  the  dependency  diagram  using 
the  techniques  of  Boolean  algebra.  For  repair- 
able systems,  simple  modifications  that  de- 
scribe the  spares  and  repair  strategies  must  be 
made  to  the  basic  block  diagram. 

6-2.2  FUNCTIONAL  BLOCK  DIAGRAMS 

Functional  block  diagrams  must  be  devel- 
oped to  provide  descriptive  coverage  fzan 
system  to  subassembly  levels.  The  informa- 
tion contained  in  them  and  in  the  detailed 
circuit  and  mechanical  descriptions  of  the 
system  can  be  used  to  develop  a reliability 
model.  The  functional  block  diagrams,  circuit 
diagrams,  mechanical  descriptions,  dependen- 
cy diagrams,  and  reliability  block  diagrams  are 
related  by  means  of  an  alphameric  coding 
scheme. 


Notes  and  attachments  to  the  functional 
block  diagrams  must  (1)  provide  more- 
detailed  information  than  can  be  portrayed 
directly  on  the  functional  block  diagrams,  and 
(2)  describe  functional  relationships  whose 
complexity  precludes  direct  listing.  Typical 
attachments  to  the  functional  block  diagrams 
include  timing  diagrams,  switching  rules,  and 
descriptions  of  complex  interconnections  be- 
tween functions. 

Several  levels  of  functional  block  diagram 
might  be  required.  System-level  functional 
block  diagrams  show  the  relative  locations  of 
the  highest  level  functional  elements  in  the 
system,  their  interconnections,  relation  to  the 
external  environment,  power  levels,  and 
points  of  access  to  external  systems.  Basic 
system  mechanical  layout  information  (such 
as  physical  boundaries)  is  superimposed  on 
the  system  functional  block  diagram. 

Depending  on  the  system  being  described, 
several  levels  of  intermediate  functional  block 
diagrams  might  be  required.  The  intermedi- 
ate-level functional  block  diagrams  are  identi- 
cal in  structure  and  format  to  the  system  dia- 
grams, but  describe  the  system  in  greater  de- 
tail. When  basic  equipment  layout  informa- 
tion is  available,  it  is  superimposed  on  the  in- 
termediate-level block  diagrams. 

Many  systems  require  several  leveis  of 
mechanical  descriptions.  At  the  overall  cover- 
age level,  gross  physical  details  are  superim- 
posed on  the  system  block  diagram.  At  inter- 
mediate levels,  more-detaiied  physical  features 
are  defined.  This  is  important  because  hard- 
ware boundaries  are  needed  to  specify  equip- 
ment configurations  for  which  reliability  must 
be  computed.  The  definition  of  physical  con- 
figuration is  important  when  repairable  sys- 
tems are  being  analyzed  because  the  repair 
times  are  a function  of  accessibility  and  ease 
of  handling,  which  are  physically  related 
parameters. 

The  structure  of  the  functional  block  dia- 
grams and  the  physical  descriptions  depend 
on  the  system.  A tank,  for  example,  has  a 
very  well-defined  physical  structure  and  func- 
tional block  diagram.  On  the  other'  hand,  a 
tropospheric-scatter  communications  system 
has  large,  interconnected  units  dispersed  over 
a site  area. 
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3-2.2. 1 Discrete  Systems 

A discrete  system  has  precisely  defined 
mechanical  and  electrical  boundaries,  and  it 
occupies  a limited,  well-defined  volume.  Ex- 
amples of  such  systems  are  rifles,  artillery 
projectiles,  tanks,  and  helicopters.  A function- 
al and  mechanical  description  of  a discrete 
system  usually  can  be  prepared  in  a straight- 
forward manner.  The  reliability  block  dia- 
grams usually  are  derivable  readily  from  the 
descriptions . 

A traditional  radio  receiver  is  an  example 
cf  a simple  discrete  system;  see  Fig.  6-1  (Ref. 
5).  The  system-level  functional  block  diagram 
describes  the  functional  elements  of  the  sys- 
tem and  defines  the  signal  flow  and  intercon- 
nections between  the  functional  elements.  All 
functional  blocks  are  numbered  and  are  keyed 
to  the  blocks  of  the  reliability  model. 

A more  complex  discrete  system  is  the 
infrared  (IR)  camera  in  Fig.  6-2  (Ref.  6).  This 
system  contains  mechanical,  optical,  and  elec- 
trical subsystems.  These  subsystems  can  be 
completely  described  by  functional  block  dia- 
grams of  different  levels  of  complexity.  For 
example,  the  mirrors  can  be  described  by  a 
single  level  block  diagram,  while  the  IR  detec- 
tor may  require  several  levels  of  functionai 
block  diagrams  and  detailed  circuit  schematics 
for  a complete  description. 

A tank  is  an  example  of  an  even  more 
complex  discrete  system;  it  contains  mechani- 


cal, electromechanical,  and  electronic  com- 
ponents and  subsystems.  Because  of  the  way  a 
tank  is  structured,  a simple  functional  block 
diagram  which  places  the  functions  in  a sim- 
ple geometrical  order  with  a signal  flow  from 
input  to  output  cannot  be  drawn.  The  sys- 
tem-level block  diagram  of  a main  battle  tank 
is  shown  in  Fig.  6-3  (Ref.  7). 

6-2. 2.2  Dispersed  Systems 

In  a dispersed  system  the  components  are 
dispersed  over  an  area  and  often  fit  together 
in  a complicated  way  that  requires  multiplex- 
ing of  signal  paths  and  feedback.  It  may  be 
difficult  to  describe  such  a system  with  a 
single  set  of  functional  block  diagrams;  a 
more  complex  representation  might  be  re- 
quired. 

A tropospheric-scatter  system  is  a good 
example  of  a dispersed  system  (Ref.  8). 
Tropospheric-scatter  transmission  systems  are 
used  to  extend  line  of  sight  communication 
systems  by  using  atmospheric  refraction  to 
transmit  high-frequency  waves  beyond  the 
horizon.  Direct  transmission  between  two  ter- 
minal stations  iocated  beyond  the  optical 
horizon  is  obtained  by  the  scattering  proper- 
ties of  the  troposphere.  Since  the  transmission 
properties  aE  the  atmosphere  randomly  fluc- 
tuate, many  properties  of  a tropospheric- 
scatter  system  are  statistical.  This  complicates 
the  functional  description  of  the  system  be- 


FIGURE  6-1.  Radio  Receiver  Functional  Block  Diagram' 
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FIGURE  6-2.  Infrared  Camera  Functional 
Block  Diagram 6 


cause  the  properties  of  the  transmission  path, 
which  is  external  to  the  system  hardware, 
affect  system  reliability.  Therefore,  the  trans- 
mission medium  also  must  be  described  in  the 
system  functional  block  diagram. 

A summary  of  the  items  making  up  a 
tropospheric-scatter  system  functional  de- 
scription follows: 

1.  Geographical  deployment  plan 

2.  Station  layout  plan 

3.  System  layout  plan 

4.  Shelter  layout  plan 

5.  Antenna  layout  plan 

6.  Channeling  plan 

7.  Frequency  allocations  plan 

8.  Equipment  lists 

9.  Tabulation  of  system  and  equipment 
characteristics 

10.  Functional  block  diagrams  of  equip- 
ment and  systems  at  each  station 

11.  Signal  dependency  diagrams 

12.  System  interface  diagrams 

13.  Individual  functional  block  diagrams. 

The  reliability  model  for  this  system  is 
very  complex.  Several  reliability  models  will 
be  required  to  compute  system  reliability  and 
the  reliability  of  individual  equipments. 

A System  Layout  Plan  and  an  Equipment 
Functional  Diagram  for  one  station  are  de- 
scribed in  Figs.  6-4  and  6-5. 


6-2.3  DEPENDENCY  DIAGRAMS 
8-2.3. 1 Definition  of  Terms 

A dependency  diagram  pictorially  defines 
the  logical,  electrical,  and  topological  inter- 
relationships between  the  events  and  func- 
tional elements  in  a system  (Refs.  2 and  4) . 
The  terms  used  in  the  previous  sentence  are 
defined  as  follows: 

1.  The  logical  interrelationships  between 
functional  elements  are  the  rules  governing 
the  interplay  between  input  and  output  sig- 
nals or  forces.  These  rules  can  best  be  ex- 
pressed by  Boolean  equations. 

2.  The  electrical  interrelationships  de- 
scribe the  flow  of  electrical  energy  between 
functions.  A good  example  is  a traditional  sig- 
nal flow  diagram. 

3.  The  topological  relationships  express 
the  geometric  structure  of  the  system.  This  is 
very  important  because,  frequently,  the  com- 
ponents comprising  a function  are  physically 
located  in  different  parts  of  the  system,  even 
in  different  equipment  cabinets.  Therefore, 
the  system  geometry  must  be  carefully  de- 
fined. 

The  dependency  diagrams  can  be  very 
helpful  in  deriving  reliability  block  diagrams. 
A reliability  model  for  reliability  without  re- 
pair can  be  derived  directly  from  these  dia- 
grams using  Boolean  algebra  techniques.  In 
simple  systems,  ordinary  functional  diagrams 
are  sufficient  to  derive  the  reliability  model. 
The  dependency  diagram  can  become  very 
complex  for  large  systems.  Therefore,  it 
should  be  constructed  at  a system  level  which 
permits  the  reliability  model  to  be  derived  but 
does  not  expand  the  diagram  to  the  point 
where  it  becomes  cumbersome  to  use.  4 
dependency  diagram  would  never  be  drawn  at 
the  circuit  schematic  level,  for  example.  The 
dependency  diagram  requires  standard  for- 
matting rules,  which  minimize  the  chance  of 
error  when  deriving  the  reliability  model. 

6-2. 3. 2 Standard  Formatting  Rules 

A standard  set  of  dependency-diagram 
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FIGURE  6-3.  Functional  Diagram  of  the  MBT-70  Tank: 
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NOTES. 

1.  pj  - Radiated  Power 

2.  ft  - Center  Frequency 

3.  Rj  = Range 

4.  LOS  - Line  of  Sight 

5.  Numbers  in  Circles  Represent  Station  Call  Letters 

G.  — Other  Systems 

7.  Cj  = Number  of  Channels  Between  Stations, 
Attachment  Gives  More  Detail. 
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FIGURE  6-4.  Tropospheric  Scatter  System  Layout  Plait  (Ref.  8) 
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FIGURE  6-5.  Equipment  Functional  Diagram  for  Tropo  Terminal , Station  X8 
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formatting  rules  is  required  to  show  unambig- 
uously the  logical  relations  between  system 
functions.  (This  entire  subparagraph  is  adapt- 
ed fron  Refs.  2 and  4.)  To  be  useful,  the 
formatting  rules  should  be  uniform,  i.e.,  the 
same  set  of  symbols  and  rules  must  be  usable 
at  all  levels  of  system  disclosure. 

The  basic  symbolic  elements  of  tte  de- 
pendency diagram  are  described: 

A or  V The  triangle  indicates  the  existence  of 
a dependency  on  another  event.  The 
apex  of  the  triangle  points  toward  the 
event  which  is  depended  upon. 
o The  circle  placed  on  a dependency 
line  (in  a particular  column)  indicates 
the  existence  of  functional  element 
represented  by  that  column, 
o The  square  represents  an  event  or 
multiplicity  of  events  (action  or  avail- 
able output)  which  results  from  the 
proper  operation  of  a specific  group 
of  functional  elements  and  the  avail- 
ability of  specific  events. 

By  use  of  these  basic  symbols,  a de- 
pendency diagram  can  be  developed.  The  de^ 
pendency  diagram  symbolically  illustrates  the 
interdependencies  between  the  functional 
elements  and  events  in  the  system.  The  de- 
pendency diagram  maps  the  functional  inter- 
actions of  a system  into  a dependency  struc- 
ture. 

In  addition  to  the  basic  symbols,  the  de- 
pendency diagram  also  makes  use  of: 

1.  Event  entries  (headings) 

2.  Functional  element  entries  (headings) 

3.  Data  rows 

4.  Notes  and  signal  specifications 

5.  Procedure  column. 

All  of  these  contain  information  which  is  use- 
ful for  the  generation  of  reliability  models. 

The  column  headings  list  the  name  and 
location  cf  all  events  and  functional  elements 
associated  with  the  dependency  diagram. 
Each  event  and  functional  element  is  identi- 
fied by  means  of  an  alphameric  code. 

The  event  entries  can  indicate: 

1.  Inputs  from  external  equipment 

2.  Important  internal  events 


3.  Outputs  to  external  equipment 

4.  Terminal  events  such  as  outputs  from 
recorder,  PPI  scope,  or  headphone  set. 

If  the  events  are  to  be  observed,  such  as  at 
test  points,  the  point  of  observation  is  indi- 
cated in  the  event  entry  column.  If  events  are 
to  be  measured,  the  points  of  measurement 
are  indicated.  Specifications  or  descriptions 
for  the  event  are  referenced  by  a number  lo- 
cated in  a box  at  the  base  of  the  column  head- 
ing. The  physical  location  of  each  functional 
element  and  event  is  identified  at  the  top  of 
each  column.  The  combinatorial  rules  govern- 
ing groups  of  events  and  functional  elements 
can  be  summarized  in  the  headings. 

A set  of  standard  interpreting  rules  for 
logical,  mechanical,  electrical,  and  topological 
interrelationships  between  functional  ele- 
ments and  events  in  a system  must  be  used  in 
the  dependency  diagram.  The  distinction  be- 
tween topological,  electrical,  logical,  and 
mechanical  considerations  is  crucial  in  the  for- 
matting of  complex  systems. 

Topological  relationships  depict  the  physi- 
cal interconnections  between  functional  ele- 
ments. Electrical  interrelationships  indicate 
functional  signal  processing  interactions,  be- 
tween elements.  Logical  dependencies  indi- 
cate the  Boolean  relationships  among  func- 
tional elements.  Mechanical  dependencies  in- 
dicate mechanical  interactions  between  ele- 
ments in  a mechanical  system. 

The  three  basic  symbols  (triangle,  circle, 
square)  are  combined  in  various  ways  to  form 
the  dependency  structure.  The  resultant  event 
and  the  functional  elements  and  dependencies 
upon  which  it  depends  are  connected  by 
means  of  the  horizontal  dependency  lines. 

There  are  nine  standard  rules  for  inter- 
preting the  structure  of  the  dependency  chart 
for  reliability  model  derivation,  i.e., 

1.  If  a circle  (functional  element) 
appears  in  a specific  column  several  times,  it 
represents  only  one  physical  entity. 

2.  Only  AND  dependencies  can  be 
depicted  on  a single  dependency  line. 

3.  Output  events  dependent  upon  a 
specific  functional  element  are  placed  to  the 
right  of  the  symbol  representing  that  element. 
Input  events  to  that  element  appear  to  the 
left  of  the  element. 
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4.  Both  logical  (in  the  Booiean  sense) 
AND  and  OR  dependencies  can  be  repre- 
sented in  the  vertical  direction. 

5.  The  vertical  lines  demarking  the 
columns  delimit  physical  bounds  on  the  func- 
tional (electrical  and  mechanical)  inter- 
dependencies. Several  event  boxes  labeled 
separately  and  drawn  in  the  same  vertical 
column  represent  a group  of  signals  which  en- 
ter the  same  physical  terminal.  If  the  events 
are  drawn  one  each  in  a group  of  adjacent 
columns,  they  represent  signals  that  enter 
different  physical  terminals  of  the  same  func- 
tional element. 

6.  If  separately  labeled  events  are  drawn 
in  the  same  column  and  a dependency  triangle 
is  placed  under  each,  the  events  represent 
electrically  (or  mechanically)  distinct  signals, 
even  though  they  may  be  imposed  at  the  same 
physical  point.  (Distinct  signals  or  forces  are 
separated  by  time  as  well  as  frequency.)  If  a 
single  dependency  triangle  is  placed  under  the 
group  of  events,  they  are  electrically  (mechan- 
ically) similar. 

7.  A plus  sign  (+)  on  the  dependency  dia- 
gram indicates  that  some  group  of  functional 
elements  and  events  are  related  in  a logical 
OR  fashion. 

8.  A small  circle  (O)  or  dot  placed  on  the 
dependency  diagram  above  the  square  repre- 
senting an  event  indicates  that  the  functional 
elements  providing  inputs  to  that  event  are 
related  in  a logical  AND  fashion. 

9.  Dummy  Events:  If  groups  of  events 
are  related  in  a complex  manner  that  is  diffi- 
cult to  describe  using  the  listed  rules,  or  if  the 
resulting  descriptions  are  ambiguous,  a 


FIGURE  6-6.  Simple 


dummy  event  can  be  used.  All  of  the  event 
outputs  feed  as  inputs  to  the  dummy  event. 
The  Boolean  relation  or  logical  rule  governing 
the  interaction  between  the  elements  is  stated 
in  the  column  heading  above  the  dummy 
event  and  just  above  the  box  representing  the 
event. 

These  rules  establish  the  dependency  dia- 
gram as  a device  for  describing  the  topologi- 
cal, mechanical,  logical,  and  electrical  rela- 
tionships which  govern  the  operation  cf  a 
system.  A number  of  examples  presented  to 
illustrate  the  application  of  these  rules  follow: 

A.  Simple  Series  Dependency.  The  sim- 
ple series  dependency  for  a single  functional 
element  is  shown  in  Fig.  6-6.  The  small  circle 
above  the  square  (which  represents  the  Z out- 
put) indicates  an  AND  series'  relationship  be- 
tween X,  Y.  and  Z.  This  representation  may 
be  extrapolated  to  a group  of  series  functional 
elements. 

B.  Parallel  Inputs  (Figs.  6-7  through 
6-10).  Several  possible  combinations  can  oc- 
cur. The  events  A2,  and  A3  enter  func- 
tional block  S through  the  same  terminal  or 
different  terminals,  they  are  electrically 
(mechanically)  similar  or  electrically  (mechan- 
ically) different,  and  the  event  A,,  depends 
upon  A,,  A 2 , and  A,  in  a logical  AND  or 
logical  OR  fashion.  Eight  different  dependen- 
cy diagrams  can  be  drawn. 

1.  Identical  Inputs,  Same  Terminal, 
AND  Dependency  (Fig.  6-7).  Standard  rules 
2,  3,  5,  6,  8,  and  9 apply. 


t 


i_  A COLUMN 

Series  Dependency' 
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SYSTEM  DEPENDENCY  DIAGRAM 


FIGURE  6-7.  Identical  Electrical  Signals,  Same  Terminal, 
AND  Dependency' 


SYSTEM  DEPENDENCY  DIAGRAM 


A i = "not  Ay" 


# 

FIGURE  6%.  Identical  Electrical  Signals,  Different  Terminal, 
AND  Dependency' 
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SYSTEM  DEPENDENCY  DIAGRAM 


FIGURE  6-9.  Different  Electrical  Signals,  Same  Terminal, 
AND  Dependency2 


FIGURE  6-10.  Different  Physical  Terminals,  Electrically  Different 
Signals,  AND  Dependency2 
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2.  Identical  Inputs,  Same  Terminal, 
OR  Dependency.  According  to  Rule  7,  a (+) 
sign  would  be  placed  above  the  A,  box  be- 
cause of  the  OR  dependency.  If  tne  logical 
rule  were  combinatorial,  the  statement  m (n) , 
meaning  m of  n,  would  be  placed  next  to  this 
(+)  sign. 

3.  Identical  Inputs,  Different  Termi- 
nals, AND  Dependency  (Fig.  6-8).  Standard 
rules  1,  3,  4,  5,  6,  8,  and  9 apply. 

4.  Identical  Inputs,  Different  Termi- 
nals, OR  Dependency.  An  OR  sign  (+)  would 
be  placed  above  A,  by  Rules  7 and  4. 

5.  Different  Inputs,  Same  Terminal, 
AND  Dependency  (Fig.  6-9).  Signals  A,,  A„ 
and  A 3 are  different  electrically  (frequency  or 
time  wise).  Rules  1,2,  3,  5,  and  6 apply. 

6.  Different  Inputs,  Same  Terminal, 
OR  Dependency.  An  OR  sign  (+)  would  be 
placed  above  A 4 by  Rules  7 and  4. 

7.  Different  Physical  Terminal,  Dif- 
ferent Inputs,  AND  Dependency  (Fig. 
6-10),  Aa,  A„  and  A,  are  different. 

8.  Different  Physical  Terminal,  Dif- 
ferent Inputs,  OR  Dependency.  An  OR 
symbol  would  be  placed  above  A,. 

C.  Large  Numbers  of  Functional  Branch- 
es in  Parallel  (Contraciions),  In  this  situation, 
a functional  element  B interfaces  with  N 
parallel  branches,  consisting  of  M elements  in 
series  (Fig.  6-ll( A) ).  The  format  of  the 
dependency  diagram  depends  on  whether  or 
not  the  branches  are  identical  and  whether  or 
not  the  functional  elements  within  each 
branch  are  identical.  Several  cases  must  be 
considered : 

1.  All  MN  functional  elements  are 
different. 

2.  All  elements  in  a given  branch  are 
identical,  but  each  branch  is  different. 

3.  All  elements  in  a given  branch  are 
different,  but  each  parallel  branch  is  the  same. 

4.  All  elements  are  identical. 

Under  certain  circumstances,  when  large 
numbers  of  elements  are  involved,  contrac- 
tions can  be  used  to  simplify  the  dependency 
diagram.  Examples  follow: 

Case  1:  All  MN  elements  are  different. 
No  contractions  are  possible. 

Case  2:  All  elements  in  a given  branch  are 
identical,  but  each  branch  is  different.  The 


branch  can  be  contracted  by  means  of  a 
multiple  column  contraction,  Fig.  6-1 1 ( B ) . E 
represents  a functional  block  composed  of  F, 
G,  and  H in  series.  E and  its  composition  are 
described  in  the  column  heading.  The 
resultant  dependency  diagram  is  Fig.  6-ll(C). 

Case  3:  All  elements  in  a particular 
branch  are  different,  but  all  branches  are  iden- 
tical. The  multiple  row  contraction  can  be 
used,  but  not  the  multiple  column  contrac- 
tion. 

Case  4:  All  elements  in  all  rows  are  iden- 
tical. A further  contraction  is  possible.  This  is 
called  the  multiple  row  contraction  and  is 
illustrated  in  Fig.  6-1 1(  D) . TheN  in  the  lower 
right  hand  corner  of  the  event  box  indicates 
the  number  of  parallel  branches  that  are 
represented.  This  contraction  is  only  possible 
when  all  the  DN  outputs  are  impressed  upon  a 
single  functional  entity. 

6-2. 3. 3 Examples 

Several  examples  illustrate  the  wide  varie- 
ty of  systems  whose  operation  can  be  repre- 
sented by  dependency  diagrams: 

1.  A simplified  tropospheric-scatter 
system  (electronic) 

2.  A relay  (electromechanical) 

3.  A packaged  speed  reducer  (mechani- 
cal). 

A block  diagram  and  dependency  chart  are 
given  for  each  system. 

A.  A Simplified  Tropospheric  Scatter 
System  ( Electronic ).  The  functional  block 
diagram  of  the  receive  functions  of  a tropo- 
spheric scatter  system  is  given  in  Fig.  6-12  and 
its  dependency  diagram  in  Fig.  6-13  (Refs.  2 
and  8).  The  dependency  diagram  is  drawn  at 
the  system  level  for  simplicity.  Diagrams  also 
can  be  drawn  for  each  of  the  functions.  The 
functional  block  diagram  is  only  one  of  the 
several  descriptive  techniques  required  for  a 
tropospheric  scatter  system;  however,  a de- 
tailed system  description  which  includes  geo- 
graphical deployment  plan,  station,  layout 
plan,  system  layout  plan,  etc.,  is  not  present- 
ed here. 

B.  A Relay  ( Electromechanical ).  The 
functional  block  diagram  of  a relay  is  shown 
in  Fig.  6-14  and  its  dependency  diagram  is 
shown  in  Fig.  6-15  (Refs.  2 and  9).  The  relay 


6-12 


AMCP  706-197 


FIGURE  6-7  7.  Large  Numbers  of  Functional  Branches  in  Parallel 2 
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FIGURE  6- 12.  Power  Supply  Section  of  Tropspheric  Scatter  System  Receive  Function2 
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FIGURE  6-12.  Block  Diagram  of  Tropospheric  Scatter  System  Receive  Functions 1 (cont'd) 
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FIGURE  6- 13.  Dependency  Chart  for  Tropospheric  Scatter  System 


FIGURE  6-13.  Dependency  Chart  for  Tropospheric  Scatter  System2  (cont'dj 
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FIGURE  6-14.  Functional  Diagram  of  a Relay 9 


dependency  diagram  describes  an  action-at-a* 
distance  force,  the  electromagnetic  field,  and 
the  mechanical  action  of  the  contacts.  The 
dependency  structure  readily  can  be  used  to 
represent  mechanical  and  action-at-a-distance 
forces  and  can,  therefore,  be  used  to  describe 
a wide  variety  of  systems. 

C.  A Packaged  Speed  Reducer  (Mechani- 
cal). A packaged  speed  reducer  is  an  example 
of  a mechanical  system  (Ref.  10).  Packaged 
speed  reducers  are  speed  reduction  gear  trains 
that  are  assembled  at  the  factory.  Their  use  as 
off-the-shelf  units  results  in  considerable 
savings  of  time  and  money.  The  output,  in 
this  case,  is  a rotation  of  the  output  shaft. 
The  output  speed  of  rotation  is  related  in  an 
exact  way  to  the  speed  of  rotation  of  the  in- 
put shaft  by  the  gear  arrangement.  A pack- 
aged speed  reducer  is  shown  in  Fig.  6-16  and 
its  dependency  diagram  in  Fig.  6-17. 

6-3  DEVELOPMENT  OF  RELIABILITY 

MODELS 

6-3,1  INTRODUCTION 

The  development  of  a reliability  model  is 


a complex  process  which  involves  the  struc- 
ture of  the  system,  up-state  rules,  the  param- 
eter to  be  computed,  the  computation 
method,  and  the  repair  and  spares  strategies. 
As  a result  of  these  interactions,  the  reliability 
model  is  not  a fixed  entity,  even  for  a specific 
system.  Specifically,  a reliability  model  con- 
sists of  some  or  all  of  the  following: 

1.  Reliability  block  diagraxn(s) 

2.  Definition  of  the  up-state  rules 

3.  Failure  and  repair  rates  of  all  func- 
tional elements 

4.  Definition  of  repair  strategies 

5.  Definition  of  spares  allocation  and 
strategies. 

The  manner  in  which  a reliability  model 
can  be  structured  is  discussed  in  detail  in  the 
paragraphs  that  follow. 

6-3.2  DEFINITIONS 

Before  proceeding  with  a detailed  dis- 
cussion of  the  derivation  of  reliability  models, 
mathematical  definitions  of  reliability  with- 
out repair,  reliability  with  repair,  instanta- 
neous availability,  steady  state  availability, 
and  mean  time  to  failure  (MTF)  must  be  de- 
veloped. These  definitions  are  presented  along 
with  several  other  useful  definitions,  as  adapt- 
ed from  Ref.  2. 

1.  Reliability  Without  Repair.  The 
s-reliability  without  repair  at  time  t is  defined 
as  the  probability  that  the  system  will  not  fail 
(will  perform  satisfactorily)  before  time  t,  as- 
suming that  all  components  are  good  at  t = 0 
(the  beginning  of  the  mission).  The  s-reli- 
ability vs  time  curve  has  a value  of  1 at  t = 0 
and  monotonically  decreases  for  increasing 
values  of  t. 

2.  Reliability  With  Repair.  Thes-reli- 
ability  with  repair  of  a system  is  defined  as 
the  probability  that  the  system  will  not  fail 
before  time  t,  given  that  all  components  are 
good  at  t = 0,  but  with  the  provision  that 
redundant  items  which  fail  are  repaired.  For  a 
1 -unit  system  or  a system  made  up  of  units  in 
series,  the  s-reliability  with  repair  is  the  same 
as  reliability  without  repair,  since  the  failure 
of  one  unit  is  considered  as  a system  failure 
and,  by  definition  of  s-reliability,  the  system 
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FIGURE  6-15.  Relay  Dependency  Diagram 
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is  not  permitted  to  go  from  a do-m-state  to 
an  up-state.  The  ^-reliability  with  repair  as  a 
function  of  time  begins  at  1 for  t = 0 and 
monotonically  decreases.  The  shape  of  this 
curve  is  determined  by  the  failure  and  repair 
distributions  of  the  individual  items  as  well  as 
additional  constraints  on  repairmen  and/or 
spares. 

3.  Instantaneous  Availability.  The 
instantaneous  availability  of  a system  is  de- 
fined as  the  probability  that  the  system  is  up 
at  the  instant  t,  given  that  all  components  are 
good  at  t = 0.  This  means  that  the  system 
could  have  failed  ana  been  restored  many 
times  during  the  interval  from  0 to  t.  It  also 


FIGURE  6-16.  Packaged  Speed  Reducer' 0 
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FIGURE  6- 17.  Packaged  Speed  Reducer  Dependency  Diagram 


means  that  if  repair  is  not  allowed  to  take 
place  on  any  of  the  items,  the  instantaneous 
availability  is  equal  to  the  reliability  without 
repair,  because  the  only  way  the  system  could 
be  up  at  the  instant  t under  these  circum- 
stances is  for  the  system  to  be  up  at  t - Oand 
remain  up  until  t.  The  shape  of  the  instanta- 
neous availability  curve  depends  on  the  types 
of  failure  and  repair  distributions  the  lowest 
level  items  are  assumed  to  have. 

4.  i Steady-state  Availability  . The 
steady-state  availability  of  a system  is  the 
asymptotic  value  of  the  instantaneous  avail- 
ability and  is  defined  as  the  probability  that 
the  system  is  up  at  any  given  point  in  time 
(but  after  a sufficiently  long  time  so  that 


steady-state  is  achieved).  The  steady-state 
availability  is  a constant  and  is  not  a function 
of  time.  Under  the  assumption  of  exponen- 
tially distributed  times  to  failure  and  times  to 
repair,  the  instantaneous  availability  mono- 
tonically  decreases  from  a value  of  1 to  the 
steady-state  availability  and  hence  the  steady- 
state  availability  under  these  circumstances  is 
well  defined  and  can  be  found  readily. 

5.  Mean  Time  to  Failure  (MTF).  The 
MTF  of  a system  is  defined  as  the  mean  time 
to  system  failure.  This  definition  is  valid  for 
nonrepairable  systems  and  for  repairable 
systems.  The  MTF  can  be  obtained  by  inte- 
grating the  reliability  function  (without  repair 
or  with  repair)  from  0 to  <»,  assuming  that  the 
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integral  exists.  In  this  concept,  once  the  sys- 
tem fails,  it  is  dead  and  cannot  be  repaired. 

It  is  important  not  to  confuse  the  MTF 
with  the  MTBF  (meantime  between  failures). 
MTBF  may  not  be  a workable  concept  for  a 
particular  system  and  may  not  be  readily 
computed  for  complex  repairable  systems. 
F or  piece  parts  which  are  discarded  after  fail- 
ure or  for  items  that  are  restored  to  their  orig- 
inal conditions  and  used  as  new  spares,  MTF 
is  the  appropriate  concept. 

6.  Equipment.  The  term  equipment 
will  be  used  to  designate,  an  element  of  a 
system  whose  failure  and  repair  characteristics 
are  considered  as  those  of  a unit  and  not  as  a 
collection  of  smaller  elements. 

7.  a 'Up.  An  equipment  or  system  is 
up  if  it  is  capable  of  performing  its  function. 

b.  Degraded.  An  equipment  or 
system  is  degraded  if  it  performs  its  function, 
but  not  well. 

8.  Down.  An  equipment  or  system  is 
down  if  it  is  incapable  of  performing  its  func- 
tion. 

9.  Leskp.  Redundancy.  A system  has 
design  redundancy  with  respect  to  a given  set 
of  equipments  if  the  system  is  up  with  only  a 
part  of  the  set  in  operation,  i.e.,  the  extra 
equipments  are  solely  €orthe  purpose  of  im- 
proving the  reliability  and  availability  charac- 
teristics of  the  system. 

10.  On.  An  equipment  which  is  up  and 
in  operation  is  on. 

11.  Idle.  An  equipment  which  is  up  and 
not  in  operation,  i.e.,  being  held  in  standby  is 
idle. 

12.  Block.  A Block  is  a grouping  of  n 
identical  equipments.  The  reliability  of  the 
grouping  depends  only  on  the  number  of 
equipments  which  are  up  in  the  block  and  not 
on  which  equipments  in  the  block  are  up. 

13.  Sections.  A Section  is  an  s-indepen- 
dent  grouping  of  equipments  within  a system. 
A system  is  divided  into  sections  when  the 
number  of  system  up-states  is  so  large  that 
computer  calculations  are  difficult.  For  ex- 
ample, calculation  of  system  MTF  with  repair 
requires  an  inversion  of  the  state  matrix.  If 
the  computer  available  to  the  analyst  cannot 


handle  a matrix,  the  analyst  must  subdivide 
the  system  into  two  or  more  separate  sections 
and  . compute  s-reliability  with  repair  for  each. 
The  system  s-reliability  with  repair  is  the 
product  of  the  section  s-reliabilities;  the  MTF 
is  computed  by  numerically  integrating  the 
system  s-reliability. 

14.  A h-ou tof-n  :G-system  has  n compo- 
nents and  is  Good  (up)  if  and  only  if  at  least  k 
of  them  are  Good  (up). 

15.  A kout-of-rr. F-system  has  n compo- 
nents and  is  Failed  (down)  if  and  only  if  at 
least  k of  them  are  Failed  (down). 

6-3.3  DERIVATION  OF  A RELIABILITY 
DIAGRAM 

The  process  of  deriving  a reliability  block 
diagram  (for  s-reliabikty  with  .:  t repair)  from 
a detailed  system  description  is  a complex 
process  that  involves  many  factors.  This 
process  must  be  analyzed  to  establish  stand- 
ardized procedures  which  form  the  basis  of  a 
formal  mathematical  technique.  The  analysis, 
using  a part  of  a tropospheric  scatter  system, 
is  described  in  the  paragraphs  that  follow 
(Ref.  2). 

Fig.  6-12  illustrates  the  equipment  config- 
uration for  the  receive  function  of  a tropo- 
spheric station.  Fig.  6-13  is  the  dependency 
diagram  and  Fig.  6-18  is  the  reliability  dia- 
gram for  the  system  in  the  particular  mode 
being  analyzed.  The  tropospheric  system  is 
complex  and  can  operate  in  several  modes. 
Each  mode  has  a different  reliability  diagram. 
The  possible  modes  are: 

1.  Voice  Set  Group  output  consists  of 
outputs  ftrm  14  to  24  physically  available 
channels  of  which  nine  or  more  must  be  up. 
(This  statement  on  the  dependency  diagram 
implies  two  reliability  diagrams.)  If  more  than 
nine  Voice  Sets  are  up,  the  reliability  diagram 
shows  them  in  parallel.  If  nine  Voice  Sets  are 
up,  the  reliability  diagram  shows  them  in  se- 
ries. 

2.  The  output  from  any  specific  voice  set 
functionally  depends  on  that  particular  voice 
set  AND  on  the  output  from  any  of  the  24 
Channel  Filter  outputs  AND  on  the  output 
from  “Engine  Generator  Set  1 OR  Engine 
Generator  Set  2”.  (The  parallel  group  of 
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Voice  Sets  is  in  series  with  the  parallel  group 
of  Channel  Filters  and  the  parallel  group  of 
Engine  Generator  Sets.) 

3.  The  Channel  Hits:  outputs  function- 
ally depend  on  the  corresponding  Channel  Fil- 
ters AND  on  the  Demodulator  (via  the 
Demodulator  output)  AND  on  the  output 
from  “Generator  Set  1 CR  Generator  Set  2”. 
(The  parallel  group  of  Channel  Filters  is  in 
series  with  the  Demodulator  and  the  parallel 
group  of  Engine  Generator  Sets  1 and  2.) 

4.  The  Demodulator  output  depends  on 
the  Demodulator  Function  AND  on  the  Com- 
biner series  circuit  output.  The  Combiner 
total  output  consists  of  an  output  via  "Com- 
biner Gain  1 AND  2”  OR  “Combiner  Gain  3 
AND  4".  Both  outputs  via  “Combiner  Gain  1 
AND  2"  OR  “Combiner  Gain  3 AND  4"  func- 
tionally depend  on  the  Combiner  series  cir- 
cuits (AGC  and  Summing  Network)  and  Com- 
biner Gbdn  1 AND  2 AND  3 AND  4,  respec- 
tively. On  the  reliability  diagram,  the  Demod- 
ulator is  in  series  with  the  AGC  and  Summing 
Network  which  are  in  turn  in  series  with  Gain 
1 AND  2 in  parallel  with  Gain  3 AND  4. 

5.  Examination  of  the  uependency  dia- 
gram from  this  point  to  the  system  input  re- 
veals two  chains  of  simple  AND  dependencies 
which  are  in  parallel  with  each  other.  The  first 
series  chain  consists  of: 

a.  Received  wave  1 (horizontal  AND 
vertical  component) 

b.  Antenna  1 (horizontal  AND  verti- 
cal feed) 

c.  D up  lexer  1 

d.  Ebll  polarization  diversity,  fun- 
space  diversity1 

e.  Full  polarization  diversity  and  de- 
graded space  diversity 

f.  Degraded  polarization  diversity 
and  full  space  diversity 


xIn  polarization  diversity,  the  transmit- 
ting and  receiving  antennas  have  dual  feed 
horns.  The  wave  is  simultaneously  transmitted 
with  both  horizontal  and  vertical  polarization. 
In  space  diversity,  the  same  wave  is  transmit- 
ted simultaneously  over  several  physically  dis- 
tinct paths.  Degraded  diversity  means  that 
only  one  polarization  direction  or  propaga- 
tion path  is  operable. 


g.  Degraded  polarization  diversity 
and  degraded  space  diversity. 

Each  of  these  modes  can  operate  with  or 
without  Orderwire’.  In  this  example,  the  case 
of  full  polarization  diversity  and  degraded 
space  diversity  with  up  Orderwire  is  con- 
sidered. 

The  reliability  diagram  can  be  derived 
from  a simple  set  of  logical  statements  im- 
plied directly  by  the  dependency  diagram. 
The  set  of  logical  statements  follows  and  the 
effect  on  the  reliability  diagram  is  given  in 
parentheses : 

1.  System  output  consists  of  output 
from  Orderwire  circuits  and  Voice  Set 
Groups.  (Orderwire  circuits  AND  Voice  Set 
Groups  are  in  series.) 

2.  Orderwire  output  functionally  de- 
pends on  Orderwire  circuits  AND  Service 
Channel  Line  Equipment  output  AND 
Demodulator  circuit  output  AND  ouptut 
from  “Generator  1 OR  Generator  2”.  (Order- 
wire  circuits  are  in  series  with  Service  Channel 
Line  Equipment  and  Demodulator  and  the 
parallel  group  of  Generator  Set  land  2.) 

3.  The  Voice  Set  Group  output  depends 
on  the  outputs  from  any  of  the  Channel  Fil- 
ters, the  Demodulator,  Summing  Network, 
AGC  Network,  and  the  output  from  either  of 
the  Receive  Channels.  The  Receive  Channels 
each  consist  of  a series  grouping  of  functions. 
Receive  Channel  1 consists  of: 

a Received  Wave  1 (horizontal  AND 
vertical  component) 

b.  Antenna  1 (horizontal  AND  verti- 
cal feed) 

c.  Duplexer  1 

d.  Front-end  1 

e.  Front-end  2 

f.  Receiver  1 

g Receiver  2 

h.  Combiner  Gain  1 AND  2. 

The  second  Receive  Channel  consists  of: 

a.  Received  Wave  2 (horizontal  AND 
vertical  component) 

b.  Antenna  2 (horizontal  AND  verti- 
cal feed) 


2 An  Orderwire  Channel  allows  station 
operators  to  communicate  with  each  other. 
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FIGURE  6- 18.  Reliability  Diagram,  Tropospheric  Scatter  System  Receive  Mode, 
Full  Polarization  and  Degraded  Space  Diversity 
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c.  Duplexer  2 

d.  Front-end  3 

e.  Front-end  4 

f.  Receiver  3 

g.  Receiver  4. 

(The  Channel  Filters  are  in  parallel.  This 
parallel  grouping  is  in  series  with  the  Demodu- 
lator, Summing  Network,  and  AGC  Network. 
These,  in  turn,  are  in  series  with  the  parallel 
combination  of  two  Receive  Channels.) 

4.  These  two  series  chains  of  functions 
are  in  series  with  the  output  from  Engine 
Generator  Set  1 OR  2.  (The  parallel  combi- 
nation of  Engine  Generator  Set  1 AND  2 is  in 
series  with  the  rest  of  the  system.) 

This  analysis  illustrates  that  the  informa- 
tion contained  in  the  dependency  diagram  can 
be  used  to  derive  a reliability  block  diagram 
for  the  case  of  s-reliability  without  repair.  To 
summarize  the  previous  discussions,  the  mini- 
mum information  elements  required  for  de- 
riving a reliability  block  diagram  are: 

1.  A dependency  chart  that  clearly  mdi- 
ca”  the  interdependencies  between  function- 
al elements  and  events 

2.  A quantified  definition  of  the  system 
output 

3.  A statement  of  rules  defining  the 
system  up-state. 


6-3.4  MATHEMATICAL  DERIVATION  OF 
A RELIABILITY  DIAGRAM 

6-3.4. 1 Basic  Concepts 

In  this  paragraph  a simple  example  of  how 
a reliability  block  diagram  can  be  derived 
from  a dependency  diagram  is  presented. 

Consider  the  dependency  diagram  in  Fig. 
6-19.  A Boolean  equation  (Ref.  ll)for  each 
dependency  line  can  be  written  as  follows: 


ANS  = Z1  + Z2 

(6-1) 

Zx  ■ A • K 

= Z3  • B 

Z3  = Z4  * A 

(6-2) 

Z<  = c +ZS 

Z5  - P • Q 

By  means  of  a series  of  substitutions,  a 
Boolean  function  for  the  system  can  be  gener- 
ated in  terms  of  its  equipments.  The  steps  are: 

ANS  = A • K + Z3  ' B 

= A-K  + {Zi'A)  • B 
= A-K+[(C  + Zb)‘A]-B  (6-3) 

*A  • K + [(C  + P • Q)  -A/-B 
= A*K+B*  [A' (C+Pm  Q) ] 

This  function,  when  properly  simplified  and 
factored,  forms  the  basis  for  the  reliability 
block  diagram.  The  factored  form  is: 

ANS  = A • [K  + B • (C  + P ■ Q)]  (6-4) 


FI GURE  6- 19.  Simple  Dependency  Chart1 
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which  is  obtained  by  factoring  A.  The  reli- 
ability block  diagram  corresponding  to  this 
tree  is  shown  in  Fig.  6-20. 

6-3.4.2  A Complex  Example 

This  paragraph  explains  in  detail  how  a 
reliability  model  can  be  generated  for  a com- 
plex system  for  the  case  of  s-reliability  with- 
out repair;  it  is  adapted  from  Ref.  2.  The 
system  to  be  considered  is  the  tropospheric 
scatter  communications  system  described  pre- 
viously (Fig.  6-12). 

The  reliability  model  can  be  generated  by 
writing  a Boolean  expression  for  each  depend- 
ency line.  For  example,  if  the  dependency 
line  shows  that  Z depends  on  A AND  B,  the 
Boolean  equation  is  Z = A * B;  similarly,  if  Z 
depends  on  A OR  B,  then  the  Boolean  equa- 
tion is  Z = A +B.  This  notation  is  used  rather 
than  H (AND)  and  U (OR)  in  deference  to 
considerable  custom  in  writing  Boolean  ex- 
pressions. 

In  the  tropo  system,  the  parallel  series 
structure  shown  in  Fig.  6-21  occurs.  The 
items  Clt  C„  C3,  . . Cu  are  identical  and 
in  parallel;  normally  only  14  out  of  the  24 
items  are  in  operation,  the  remaining  1 0 being 


in  standby.  This  situation  also  applies  to  the 
D,,  D, , . . Dz 4 items.  The  output  C"  is  up 
when  9 out  of  1 4C  items  are  up  and  D"  is  up. 
The  output  D"  is  up  when  9 out  of  14  D 
items  are  up. 

The  Boolean  statements  for  the  tropo 
system  are  listed.  The  symbol  PS  is  a code  for 
parallel-series  function  and  the  statement 
9(  1 4)  represents  the  up-state  definition  for 
"9-out-of-14”.  The  unprimed  terms  represent 
equipments,  and  the  primed  terms  represent 
outputs,  which  vzIL  be  eliminated  as  the  ex- 
pression for  system  output  is  developed.  The 
following  general  equations  can  be  written  for 
the  parallel  grouping  of  C and  D: 


C"  = PS(C';,j=l,24  ), 9(14) 

(6-5) 

D"  - PS(Dr;„  j-1,24),  9(14) 

(6-6) 

C(i)  = CU)  ’ D<J)  ‘ p 

(6-7) 

Dm  = *m  ’ E'  ‘ p' 

(6-8) 

where  E'  represents  the  Demodulator  output 
and  P'  represents  the  Power  Supply  output. 


The  Boolean  equations  for  the'  tropo 
system  (Fig.  6-13)  are  derived  in  the  following 
manner: 

Z'  =*  A’  * C"  (6‘9) 

A'  = A • B'  * Pf  (6-10) 


FIGURE  6-20.  Simple  Reliability  Model 
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B‘ 

= 

B • E‘  • P‘ 

(6-U) 

C" 

= 

1,24),  9(14) 

(6-12) 

c ' 
W n 

= 

c . n ' • p' 
UU)  U(S)  r 

(6-13) 

D" 

= 

PS (!>,;„;  = 1,24)  9(14) 

(6-14) 

°U> 

= 

Dm  • E'  ‘ P' 

(6-5) 

E' 

= 

E • F' 

(6-16) 

F' 

= 

G'  + H' 

(6-17) 

G' 

= 

I • / • K'  • P' 

(6-iS) 

H' 

= 

I - L'  • M'  • P‘ 

(6-19) 

/ 

= 

J • N'  • P' 

(6-20) 

K' 

= 

K • O'  • P' 

(6-21) 

V 

= 

l • r • P' 

(6-22) 

Af 

= 

M • If  • P' 

(6-23) 

N1 

= 

N • Q'  • P' 

(6-24) 

O' 

* 

0 • R'-  P' 

(6-25) 

Q' 

= 

Q • S'  • P' 

(6-26) 

R' 

= 

R • Y't  • P' 

(6-27) 

S' 

= 

S • 73'  • P' 

(6-28) 

T 

= 

T • V'  • P' 

(6-29) 

If 

= 

U - W'  • P' 

(6-30) 

V 

=S 

v • y;  • p' 

(6-31) 

W' 

= 

IT  • X'  • P' 

(6-32) 

r 

= 

x • y2'  • p' 

(6-33) 

n 

= 

y . Y' 
1 1 ■*  5 

(6-34) 

n 

= 

(6-35) 

n 

= 

ya  • y; 

(6-36) 

n 

= 

y 4 • r; 

(6-37) 

n 

■ 

^ 

(6-38) 

n 

= 

‘ Y\2 

(6-39) 

n 

= 

y7  • r9 

(6-40) 

n 

= 

Y7  • 

(6-41) 

?' 

= 

*V3  + 

(6-42) 

Y' 

1 23 

= 

^13 

(6-43) 

Y‘ 

1 14 

= 

^14 

(6-44) 

These  equations  can  be  combined  to  generate 
a Boolean  function  for  the  system  by  a series 
of  successive  substitutions  in  the  expression 
for  Z' . Proceed  as  follows: 

Given: 

Z'  = A'  . C"  (6-9) 


Substitute  Eq.  6-10: 


Z'  = A ' B'  - P'  • C" 

(6-45) 

Substitute  Eq.  6-1 1 : 

z>  = A • B - E'  - P'  - P'  • C" 

(6-46) 

Since P'  • P'  =P': 

Z'  - A • B ■ E‘  ■ p'  • C" 

(6-47) 

Eqs.  6-12, 6-13, 6-14, and  6-15 must  be  ana- 

lyzed as  a group.  They  are  equivalent  to  the 

following  equations: 

c"  = PS(Cj,,/=  1,24),  9(14) 

(6-12) 

C a ) ~ C<j)  • Dat  . £>  - pi 

(6-48) 

These  can  be  further  reduced. 

C"  = PS iC(n  • D(J)J  = 1,24), 

9(14) 

(6-49) 

= PS(CW,;=  1,24),  9(14) 

' PS(-Df/>  ,j  = 1,24),  9(14) 

• E'  . p' 

(6-50) 

= C1  • D'  -E'  • P' 

(6-51) 

where 

C sPS(Cw,;- 1,24),  9(14) 

(6-52) 

D'  = PS(D(/)1  j = 1,24),  9(14) 

(6-53) 

<7  and  D'are  subsequently  treated  as  elemen- 

tary  items. 

Substitute  Eq.  6-51: 

Z'  = A • B - E'  - P1  • C'  • D' 

(6-54) 

Substitute  Eq.  6-16: 

Z'  = A . B . E . F'  .P'.C1  . D' 

(6-55) 

Substitute  Eq.  6-17: 

Z'  = A • B • E • (<?'  + H')  • P'  • 

C'  • D' 

(6-56) 

Substitute  Eq.  6-18 : 

Z'  = A ’ B • E • (/  • / • K'  • P' 

+ H') 

• P'  • C'  • D' 

(6-57) 

Substitute  Eq.  6-19: 

Z'  = A - B - E • P'  - C'  - D' 

- (I  - J'  - K'  - P'  + 1 • L'  - M'  - P') 

(6-58) 

Substitute  Eqs.  6-20and  6-21: 

Z'  = \P'  ’ {I  • J - N1  ' P'  ' K 

• O'  • / • L'  • M'  • P') 

(6-59) 

where 

A ' B - E ' C'  ' D' 

(6-60) 

6-30 
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Substitute  Eqs.  6-22  and  6-23: 

Z'  = X • P'  • (/  • J • • P'  * K 

• O + r-  L • T'-M-U ' • P')  (6-61) 

Substitute  Eqs.  6-24  and  6-25: 

zl  m \ • ? • {I  • J • N • Q'  • P • K • O 
■ R'  + I • L • r • M • U'  • P') 

(6-62) 

Substitute  Eqs.  6-26  and  6-27: 

Z'  = \ • P'  • {I  ‘ J • N • Q • S'  • P'  ■ K 

• O • R • Y[  + I • L ' T’  • M 

• <T  • P')  (6-63) 

Substitute  Eqs.  6-28  and  6-29: 

Z'  = X • P'  • (/  • J • AT  • Q • S • 73  • P' 

• K • O • R • Y[  + I • L • T • V1 

• M • U1  ‘ P')  (6-64) 

Substitute  Eqs.  6-30  and  6-31: 

z'  = x • p'  • (r  • z'  -p'  • z;  * / 

+ I > L • T • V • Y[  • M • U 

• w'  • P')  (6-65) 

where 

t = J • N ‘ Q • S - K ' O ' R 

(6-66) 

Substitute  Eqs.  6-32  and  6-33: 

z'  - x • p'  • (r  • z'  « p'  • z;  • / 

+ 1 • L • T • V • Y[  -M  - U 

• W ' X ' Y‘2  ' P')  (6-67) 

Substitute  Eqs.  6-34  and  6-35: 

Z'  = X • P'  • (r  • Z'  • P'  • 7'  • / + / 

• £T  • 7,  • 7'  • 7,  • Zg  • P') 

(6-68) 

where 

ct  = L‘T-V-M-U-W‘X 


(6-69) 

Z'  = X • P'  • (r  • Z3  • z;  • P'  • z4  • z; 

■ I + a-  I-  Y,  • Y'5  • Y,  • 7'  -P' 

(6-70) 

Substitute  Eqs.  6-38, 6-39, 6-40,  and  6-41: 

Z'  = X • P'  • C7-  / • Z3  • Y,  • Z9  • P' 

• Z 4 • Y„  +cr  * / • Zj  • Z5  • Zn 

• Z2  • Z 12  • P')  (6-71) 


Substitute  Eq.  6-42: 

z'  = x-(y;3  +y*4)  [r  • 6, 

•(^13+^4)  + “-€2  •/ 

*(^3+^i4)]  (6-72) 

where 

E = Z3  • Z4  • Z7  • Z9  • Y„ 

(6-73) 

^ = Y,  * Z2  • Z3  • Y„  • Z12 

(6-74) 

Substitute  Eqs.  6-43  and  6-44: 

Z'  = X • ( Z13  + Z14 ) • [r  • / • 

*(^13  +Z14)+a-62  •/ 

• (^13  + Y„)} 

(6-75) 

= x • (Z13  + Zl4)  * [KON1-I 

• (Zl3  + yi4)  +KON2  • / 

• (^13  +^14)]  (6-76) 

where  KON1  s r • E,  (6-77) 

£CW2  = a • E,  (6-78) 

Upon  factoring  out  the  term  ( Zl3  + Z14 ) • I, 
one  has 

Z'  = \*(Z13  +Z14W 

• (KON 1 + KON2)  (6-79) 

The  tree  corresponding  to  Eq.  6-79  is  shown 
in  Fig.  6-22,  where  Dx  and  D,  are  dummy 
variables.  The  Boolean  symbols  in  Eq.  6-79 
each  represent  an  electrical  function  or  a 
group  of  electrical  functions,  namely: 

X =A-B‘E-C'‘D' 

- (Orderwire) 

• (Service  Channel  Line  Equip) 

• (Demodulator) 

• (Voice  Sets) 

• (Channel  Filters) 

I =(A  GC) 

• (Combiner  Series  Circuit) 

Z13  = (Engine  Gen  Set  2) 

Z14  = (Engine  Gen  Set  1) 

KON1  = Y,  • Z4  • Z7  • Z9  • Y„  • J 
•N'Q'S'K'O'R 
= (Ant  2 Hor  Receive) 
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KON  2 


FIGURE  6-22.  Boolean  Tree 


• (Ant  2 Vert  Receive) 

• (Propagation  Path  2) 

• (Ant  2 Hor  Out) 

• (Ant  2 Vert  Out) 

• (Combiner  Gain  4) 

• (Dual  Rcvr  4) 

• (Front  End  4)  • (Duplexer  2) 

• (Combiner  Gain  3) 

• (Dual  Rcvr  3) 

• (Front  End  3) 

Yi-Yt-Yf  Yn  ’ * L- 

•T'V’M’U'W’X 
(Ant  1 Hor  Receive) 

. (Ant  1 Vert  Receive) 

• (Propagation  Path  1) 

• (Ant  lHor  Out) 

• (Ant  1 Vert  Out) 

• (Combiner  Gain  2) 

• (Dual  Rcvr  2) 

• (FrontEnd  2) 

• (Combiner  Gain  1) 

• (Dual  Rcvr  1) 

• (FrontEnd  !)•  (Duplexer  1) 


Refer  back  to  Fig.  6-18  for  the  final  reliability 
configuration. 

The  relative  ordering  of  equipment  is  not 
and  need  not  be  preserved  in  the  reliability 
model. 

6-3.4.3  Reliability  Models  for  Maintained 
Systems 

Reliability  models  for  maintained  systems 
require  additional  information  above  that 
derived  firm  dependency  diagrams  and  from 
the  basic  reliability  block  diagram.  In  practice 
(and  in  theoretical  work)  the  distinction 
between  redundancy  and  repair  is  often 
blurred.  The  names  of  some  of  the  activities 
are  sometimes  different,  but  the  activities 
themselves  are  very  similar.  We  will  use  the 
term  “replacement”  to  describe  the  activity 
cf  removing  a unit  that  is  presumed  bad  and 
inserting  one  that  is  presumed  good.  Whether 
it  is  the  same  unit  after  being  repaired,  or  a 
different  one,  is  irrelevant.  Two  examples  are 
given. 

6-3. 4.3.1  Example  No.  1 (Fig.  6-23) 

All  failure  and  replacement  rates  are  con- 
stant. Blocks  B and  C have  two  kinds  of 
spares,  classified  according  to  the  ease  of  re- 
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BLOCK  C 


BLOCK  B 


BLOCK  A 


3-out-of-7:  G 

1 repairman:  strategy  is  defined  in  the  text. 

System  is  Good  (up)  if  and  only  if  A.B.C,  are  Good  (up). 

FIGURE  6-23.  System  For  Example  No.  1 


placement;  the  kind  shown  separately  in  Fig. 
6-23  are  more  difficult  to  replace. 

The  system  consists  of  three  blocks: 

1.  Block  A is  a 1-out-of-l  :G-subsystem. 

2.  Block  B is  a l-out-of-3:G-subsystem. 

3.  Block  C is  a 3 out-of-7:G-subsystem. 

The  system  is  up  if  and  only  if  Blocks  A, 
B,  C are  Good  (up). 

The  optimum  repair  strategy  can  only  be 
determined  by  choosing  a figure- of -merit  to 
optimize,  and  then  solving  the  problem.  A 
reasonable  set  of  priorities  (in  the  absence  of 
the  complete  solution)  for  the  repairman 
might  be  the  following: 

1.  Finidi  replacing  the  unit  being  worked 
on,  if  any. 

2.  If  more  than  1 unit  is  failed,  choose, 
in  the  following  order,  the  one  to  be  replaced: 


a.  A unit  from  a block  that  is  down. 
If  more  than  one  block  is  down,  it  makes  no 
difference  which  is  chosen. 

b.  An  easily-replaceable  spare.  If 
more  than  one  block  is  down,  choose  the  one 
from  the  block  that  has  the  fewest  spares  that 
are  good. 

3.  If  a rule  is  not  given  completely 
enough,  choose  one  from  the  allowable  failed 
units  at  random. 

The  rules  can  become  quite  complicated 
in  a theoretical  analysis.  In  practice,  the  re- 
pairman should  not  be  required  to  make  com- 
plicated calculations  merely  to  find  out  which 
unit  to  work  on.  The  rules  also  can  be  so 
complicated  as  to  make  theoretical  analysis 
virtually  impossible.  If  the  replacement  rate  is 
much  higher  than  the  failure  rate,  the  stand- 
ard matrix  techniques  can  be  used. 
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BLOCK  B 


BLOCK  A 


B B 4-out-of  5:G 


5-out-of  7:G 


2 repairmen  for  each  Block. 

System  is  Good  (up)  if  and  only  if  A and  B are  Good  (up) 
FIGURE  6-24.  System  For  Example  No.  2 


6-3.4.3.2  Example  No.  2 (Fig.  6-24) 

All  failure  and  replacement  rates  are  con- 
stant. Block  A is  a 4-out-of-5:G-subsystem. 
Block  B is  a 5-out-of-7:G-subsystem.  There  is 
only  1 kind  of  spare  in  each  block. 

6-4  OTHER  MODELS 

The  reliability  block  diagram  has  been 
used  throughout  this  chapter  to  illustrate 
logic  diagrams  for  a system.  Other  kinds  of 
diagrams,  e.g.,  fault  ‘tree,  might  be  more 
appropriate  in  some  cases.  See  Part  Two, De- 
sign for  Reliability,  for  a discussion  of  these 
other  kinds  of  logic  diagrams. 
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CHAPTER  7 KINDS  OF  REDUNDANCY  AND  REPAIR 


7-1  INTRODUCTION 

Redundancy  and  repair  are  very  similar 
concepts.  In  the  general  case  where  switching 
is  not  instantaneous  it  is  easy  to  visualize  two 
similar  operations,  one  called  redundancy  and 
one  called  repair.  In  redundancy,  the  time 
used  to  replace  a faulty  unit  is  usually  shorter 
than  the  time  a repair  is  considered  to  take. 

There  are  many  important  considerations 
in  a redundancy/repair  situation,  i.e., 

1.  In  what  state  are  all  the  units  at  t = 0? 
How  does  one  know?  Is  checkout  perfect? 

2.  In  what  state  is  a repaired  unit?  Is  it 
good-as-new?  How  does  one  know?  Is  check- 
out perfect? 

3.  In  what  state  is  a repaired  system? 
How  does  one  know?  Is  checkout  performed? 
Is  it  perfect? 

4.  What  kinds  of  failures  are  being  allevi- 
ated? If  failures  are  due  to  the  rare,  random 
occurrence  of  severe  conditions,  redundancy 
might  not  be  of  much  help. 

5.  How  difficult  is  it  to  know  that  a unit 
has  failed?  How  difficult  is  it  to  remove  the 
faulty  unit  and  replace  it? 

6.  How  much  of  an  improvement  in  reli- 
ability is  needed  or  expected?  What  reliability 
measure  is  important  in  your  case?  For  exam- 
ple, mean  time  to  failure  is  not  a good  reliabil- 
ity measure  for  short  times. 

7.  How  much  does  redundancy/repair 
cost  in  weight,  dollars,  volume,  design  effort, 
checkout,  schedule  time,  heat  dissipation, 
system  complexity,  extra  connectors,  etc.? 

8.  What  about  switching?  Is  information 
lost  during  switching? 

9.  What  about  the  failure  behavior  of 
standby  equipment? 

10.  Under  what  conditions  are  failures 
s-independent?  When  the  correct  calculations 
have  been  made,  how  much  improvement  in 
reliability  will  there  be? 

7-2  KNOWLEDGE  OF  SYSTEM  STATE 

In  order  to  analyze  a system,  one  needs  to 
know  the  state,  (condition)  of  the  system  at 
several  time  instants.  The  two  most  important 
instants  are  "tima=  zero”  and  “just  after  re- 
pair”. 


If  a system  contains  any  redundancy,  the 
question  arises,  “How  does  one  know  that 
each  unit  is  good?”  Just  bowing  that  the 
system  is  up  is  not  enough,  since  some  units 
could  be  bad  and  the  system  would  still  be 
up.  Therefore,  there  must  be  checkout  of 
each  unit  in  the  system.  This  involves  hard- 
ware, software,  time,  and  money.  Checkout  is 
rarely  perfect.  Will  the  analysis  take  that  into 
account?  The  knowledge  of  system  state  at 
"’time  = zero”  is  also  important  because  in 
many  analyses,  a system  or  unit  is  presumed 
to  be  good-as-new  viz.,  “time  = zero”  again 
after  repair. 

There  are  only  two  tractable  choices  in 
deciding  the  condition  of  a unit  after  repair: 
good-as-new  and  bad-as-old.  Good-as-new  of- 
ten is  taken  to  mean  “perfect”,  but  if  check- 
out is  involved  all  it  means  is  that  time  reverts 
to  zero  for  the  unit  that  is  good-as-new.  The 
phrase  bad-as-old  was  coined  to  contrast  with 
good-as-new  and  to  illustrate  the  condition 
where  the  failure  rate  of  the  system  “immedi- 
ately after  a repair”  is  the  same  as  it  was  “just 
before  repair”.  An  internal  combustion  engine 
after  a minor  tune-up  is  a good  illustration  of 
bad-as-old.  The  major  components  of  the  en- 
gine didn’t  change;  perhaps  all  that  was  done 
was  to  clean  and  regap  the  spark  plugs,  and 
adjust  the  distributor  gap  and  the  timing.  The 
engine  certainly  is  not  good-as-new.  A Poisson 
process  with  nonconstant  rate  is  an  example 
of  the  bad-as-old  behavior. 

When  the  failure  rate  of  each  unit  is  con- 
stant, there  is  no  difference  between  bad-as- 
old  and  good-as-new. 

In  theoretical  analyses  with  complicated 
system-states  a common  assumption  is  that 
the  repaired  unit  is  good-as-new,  but  the  other 
units  are  bad-as-old.  Of  course,  because  of 
tractability  considerations,  failure  rates  of 
units  are  assumed  most  commonly  to  be  con- 
stant so  that  any  time  the  system  is  known  to 
be  working,  it  is  good-as-new.  Many  papers 
require  that  the  assumptions  be  inferred  from 
the  mathematics;  the  authors  have  been  re- 
miss in  stating  assumptions. 

Many  systems  use  periodic  checkout  to  as- 
certain the-  state  of  the  system.  Preventive 
maintenance  is  performed  as  required.  But 
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any  time  maintenance  of  any  kind  is  per- 
formed, there  is  the  real  possibility  and  dan- 
ger that  some  part  cf  the  system  has  been 
damaged  unknowingly.  There  is  a short  period 
of  “infant  mortality”  immediately  after  any- 
one fusses  with  any  complicated  system.  One 
illustration  of  this  fact  is  that,  at  least  during 
World  War  11,  the  repair  crew  chief  for  aircraft 
was  supposed  to  go  along  on  the  checkout 
flight  after  a repair. 

The  state  of  a complicated  real  system  is 
not  an  easy  thing  to  determine.  Many  analyses 
make  the  blithe  assumption  of  perfection  af- 
ter repair,  replacement,  or  checkout.  Real 
equipment  is  rarely  like  that. 

7-3  SYSTEM  LEVEL  FOR  REDUNDANCY 

APPLICATION 

In  a system,  at  what  level  ought  redundan- 
cy to  be  applied?  In  principle  (in  the  mathe- 
matics anyway),  one  could  make  every  piece- 
part  redundant,  or  one  could  just  have  several 
systems.  All  of  the  factors  listed  in  par.  7-1 
apply  to  this  decision.  The  question  of  switch- 
ing is  especially  important,  simply  because  so 
often  it  is  assumed  (in  the  mathematics)  to  be 
perfect:  zero  cost,  instantaneous,  no  infonna- 
tion  lost,  no  size  or  weight,  no  design  time, 
etc. 

The  lower  the  level  at  which  redundancy 
is  applied,  the  more  likely  are  common-mode 
failures  to  be  important.  The  question  cf  con- 
ditional s-independence  needs  to  be  investi- 
gated very  carefully.  This  question  is  allied 
closely  with  the  level  at  which  repair  parts 
ought  to  be  stocked.  What  about  throw-away 
maintenance?  At  what  level  ought  it  be  per- 
formed? 

In  practice,  an  analysis  barely  can  hope  to 
scratch  the  surface.  Some  rough  guidelines 
can  be  developed,  but  pilot  projects  are  the 
places  where  knowledge  is  really  gained.  It  is 
easy  for  the  proposed  system  to  be  intractable 
for  anything  but  a Monte  Carlo  simulation. 
Therefore,  the  design  engineer  and  his  staff 
analysts  need  to  know  what  simulation  lan- 
guages are  available  on  their  computer. 

Many  analyses  are  scattered  in  the  litera- 
ture. Rarely  will  the  one  be  there  that  you 
want.  They  can,  however,  give  an  idea  about 
what  to  analyze  and  what  direction  the  results 


might  take.  See  the  chapters  that  follow  and 
the  Bibliography  at  the  end  of  this  chapter  for 
some  sources. 

Roughly  speaking,  the  lower  the  level  at 
which  redundancy  is  applied,  the  more  effec- 
tive it  is  (if  switching  is  perfect  and  failures 
are  s-independent)  and  the  more  it  costs  (in 
everything). 

7-4  METHOD  OF  SWITCHING 

In  virtually  all  systems,  some  kind  of 
“switching”  is  necessary  for  redundancy  to  be 
effective.  A fluid  flow  system  might  require  a 
check-valve  on  each  redundant  pump;  an  elec- 
tronic system  might  have  to  be  disconnected. 
The  three  main  categories  discussed  here  are 
automatic,  manual,  and  repair. 

In  automatic  switching,  the  operator  need 
not  do  anything  in  case  of  a unit  fadure.  He 
may  not  even  be  aware  that  anything  has  gone 
wrong.  This  is  the  easiest  kind  of  redundancy 
to  analyze,  although  it  is  difficult  to  imple- 
ment in  hardware.  If  periodic  checkout  is  not 
performed,  the  failed  unit  might  not  be  dis- 
covered until  system  failure. 

Manual  switching  and  repair/replacement 
are  different  degrees  of  the  same  thing.  An 
operator  might  have  only  to  turn  a switch  or 
valve  handle;  or  he  may  merely  release  some 
catches  or  quick  disconnects,  pull  out  the 
faulty  unit,  and  shove  in  a good  one.  The  time 
it  takes  for  removal/installation  and  the  time 
for  acquiring  the  spare  are  usually  matters  of 
degree,  rather  than  of  kind,  in  the  analysis.  In 
a fixed  ground  installation,  the  whole  thing 
might  be  accomplished  in  a few  minutes  for  a 
radio-receiver.  The  transmission  in  a tank 
might  take  hours  to  remove/install  and  days 
to  fix  or  acquire  another. 

The  method  that  the  designer  finally 
chooses  depends  on  the  system  specifications 
and  constraints,  on  what  he  is  familiar  with, 
and  on  what  he  thinks  will  really  happen  in 
the  field.  A lot  depends  on  the  kind  of  logistic 
system  in  use  for  that  equipment. 

Often,  a Monte  Ccirlo  simulation  of  the 
system  is  the  only  practical  way  to  analyze 
what  will  happen.  In  such  an  analysis  it  often 
pays  to  be  aware  of  some  of  the  “paths”  a 
system  takes  during  the  failure /repair  se- 
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quences.  In  complicated  systems,  the  designer 
might  be  quite  surprised  at  what  happens;  sit- 
uations easily  can  arise  that  the  designer  never 
dreamed  of. 

Reconfiguration  of  the  system  to  operate 
in  a degraded  mode  after  a failure  and  before 
a repair  is  effected  is  often  a desirable  situa- 
tion. A computer  for  example  might  contin- 
ue to  operate  but  at  a lower  speed  during  the 
5 min  it  takes  to  remove  and  replace  a unit.  A 
communication  system  might  slow  its  message 
rate  during  switchover.  The  slew  rate  of  a 
hydraulically  powered  system  might  drop  to 
one-third  its  usual  value  while  a redundant 
part  of  the  pumping  system  is  being  replaced. 

As  a matter  of  practical  fact,  a designer 
will  make  many  decisions  without  using  much 
more  than  the  engineering  judgment  of  him- 
self and  his  associates  (staff  or  line).  There  is 
not  enough  time,  money,  or  people  to  analyze 
everything . 

7-5  FAILURE  BEHAVIOR  OF  SPARES 

AND  OTHER  PARTS 

The  terminology  in  this  field  is  very  con- 
fusing because  it  has  grown  like  Topsy,  The 
best  terminology  seems  to  be  cold-warm-hot 
spares;  it  is  flexible  and  is  not  confused  with 
other  aspects  of  system  design.  The  crux  of 
the  matter  is  the  failure  behavior  of  the  units; 
but  some  of  the  terminology  refers  to  the  use 
of  the  unit  and  only  indirectly  implies  the 
failure  behavior.  The  remainder  of  this  para- 
graph presumes  constant  failure  rates.  More: 
complicated  failure  distributions  can  be  dis- 
cussed, but  the  origin  of  time  must  always 
then  be  kept  track-of  for  every  unit-a  diffi- 
cult task  indeed. 

A cold  unit  has  zero  failure  rate.  This  is 
not  a likely  situation  because  spares  in  stor- 
age, etc.,  do  deteriorate.  But  it  is  very  tract- 
able in  an  analysis.  This  is  the  same  as  pas- 
sive-redundancy. In  many  cases  it  is  what  an 
author  means  by  standby-redundancy  (unless 
he  has  otherwise  specified  the  failure  behav- 
ior). 

A hot  unit  has  the  same  failure  rate  as  an 
operating  unit,  regardless  of  whether  it  is  ac- 
tually in  operation  or  not.  This  is  the  same  as 
active  redundancy.  It  is  sometimes  implied 


(by  some  authors)just  by  the  word  redundan- 
cy. 

A warm  unit  has  a failure  rate  somewhere 
between  a hot  unit  and  a cold  unit.  Often  it  is 
taken  to  be  the  general  case  and  includes  hot 
and  cold  as  limiting  situations. 

In  some  analyses  where  the  units  always 
are  working,  the  individual  failure  rates  de- 
pend on  the  number  that  are  working.  A con- 
ceptually simple  example  is  several  induction 
motors  (tied  firmly  together  so  that  their 
shafts  are  effectively  in  line).  Suppose  the  fail- 
ure mode  is  insulation  failure  due  to  tempera- 
ture rise  and  there  are  six  high-slip  5-hp  mo- 
tors driving  a 20-hp  load.  The  temperature 
rise  of  the  operating  motors  will  depend  on 
the  number  of  operating  motors.  Allowl 0 
percent  for  nonuniform  distribution  of  load. 
Then  the  maximum  load  on  each  motor  when 
six  motors  are  operating  is  (20-hp/6)  X 1.1  * 
3.7-hp;  for  five  motors  it  is  4.4-hp;  for  four 
motors,  it  is  5. 5-hp;  and  for  three  motors,  it  is 

7.3-hp.  Obviously,  the  insulation  will  degrade 
much  faster  as  the  number  of  motors  is  re- 
duced. At  nominal  7.3-hp  load,  the  current 
would  probably  be  high  enough  to  kick  out 
the  overloads.  Another  example  is  a commu- 
nication system.  If  radio  receivers  are  han- 
dling traffic  in  parallel,  the  failure  rate  of  each 
receiver  is  probably  independent  of  the  num- 
ber of  units  which  are  operating,  unless  heat 
dissipation  is  a critical  factor. 

It  is  best  to  use  a term  to  describe  redun- 
dancy which  indicates  the  failure  rate  behav- 
ior, not  the  operating  condition  of  a redun- 
dant/spare unit. 

7-6  STYLES  OF  REDUNDANCY 

There  are  at  least  three  styles  of  creating 
redundancy : 

(1)  k-out-of-n  systems 

(2)  Voting  techniques 

(3)  Other. 

The  “Other”  category  includes  combinations 
of  the  first  two,  and  multiple  units  which  do 
not  easily  reduce  to  k-out-of-n.  Hammock 
(bridge)  networks  are  in  the  latter  category.  It 
is  most  important  to  distinguish  between  the 
physical  system  and  the  logic  chart  used  to 
describe  the  physical  system.  The  description 
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difficulty  typically  arises  when  there  are  two 
“opposite”  failure  modes:  open  - short,  dud  - 
premature,  too  soon  - too  late,  high  - low, 
etc.;  then  at  least  two  logic  charts  are  neces- 
sary for  the  one  physical  system.  Very  often  a 
redundant  feature  for  one  mode  turns  out  to 
be  a series  feature  for  the  other  mode.  For 
example,  features  which  decrease  the  proba- 
bility of  prematures,  will  usually  increase  the 
probability  of  duds.  The  Bibliography  at  the 
end  cf  this  chapter  shows  sources  of  further 
information. 

7-6.1  k-OUT-OF-n  SYSTEMS 

A k-out-of-/z:G-system  has  n units  and  is 
Good  (up)  if  and  only  if  at  least  k units  are 
Good  (up). 

A k-outof-n:F-system  has  n units  and  is 
Failed  (down)  if  and  only  if  at  least  k units 
are  Failed  (down). 

A series  system  is  a l-out-of-n:F  (n-out- 
of-n:G)-system— i.e.,  if  lunit  fails,  the  system 
fails— all  units  must  be  good  for  the  system  to 
be  good. 

A parallel  system  is  usually  taken  to  be  a 
l-out-of-n:G  (n-out-of-rc:F) -system— i.e.,  if  1 
unit  is  good,  the  system  is  good— all  units 
must  be  failed  for  the  system  to  fail. 

A k-out-of-n  :F  system  is  an  (n  — k + 1)- 
out-of-n  :G-system;  and  a k-out-of-n  :G-system 
is  an  (n  — k + l)-out-of-n  :F-system.  Some- 
times the  name  parallel-system  is  used  synon- 
ymously with  a k-out-of-n  system.  Since  the 
term  parallel  is  ambiguous,  it  is  best  avoided 
when  accurate  description  is  needed.  The 
k-out-of-n :G  or  k-out-of-n :F  notations  are 
much  to  be  preferred. 

A k-out-of-n  system  is  also  an  ambiguous 
phrase  and  is  used  both  ways  in  the  literature. 
It  is  best  to  use  the  :G  or  :F  notation  when 
accurate  description  is  needed,  and  to  define 
it. 

The  k-out-of-n  system  is  usually  easy  to 
analyze  if  the  redundancy  is  either  hot  or  cold 
and  the  switching  is  perfect.  The  general  case 
for  warm  redundancy  and  imperfect  switching 
has  not  been  solved  in  general.  Some  results 
arc,  available  for  small  n and  constant  failure 
rates  for  each  unit.  Ref.  3 provides  an  extend- 


ed summary  and  analysis  of  many  k-out-of-n 
systems. 

7-6.2  VOTING  TECHNIQUES 

Voting  ordinarily  is  associated  with  digital 
electronic  circuits,  although  some  circuits  for 
analog  electronic  systems  have  appeared  in 
the  literature.  It  does  not  appear  to  be  appli- 
cable at  all  to  mechanical  system. 

A voter  has  n active  inputs,  the  output 
corresponds  to  the  inputs  which  are  the  same 
for  more  than  nj 2 of  the  inputs.  In  most  hard- 
ware implementations,  n = 3,  and  two  inputs 
determine  the  output.  If  a unit  fails  (and  the 
failure  is  somehow  sensed),  the  failed  unit  can 
be  removed  and  the  voter  can  be  restructured. 
If  n = 3 and  one  unit  fails  without  being  re- 
moved, then  n = 2 and  all  must  agree,  in  order 
for  a signal  to  be  passed  on.  If  those  two  dis- 
agree, then  the  designer  has  to  decide  what  to 
do.  Refs.  I,  2,  and  4 discuss  this  situation  and 
give  some  other  references. 

It  is  possible  to  have  some  spares  for  some 
voters,  e.g.,  each  element  could  beak-out-of- 
n subsystem.  The  voters  themselves  can  be 
arranged  in  a voting  fashion.  Refs.  1 and  4 
describe  many  of  the  possibilities  for  redun- 
dancy in  computers.  Refs.  2 and  3 give  many 
of  the  formulas  that  are  useful  in  analyzing 
these  redundancies. 

7-6.3  OTHER  SYSTEMS 

Voting  techniques  can  be  combined  with 
k-out-of-n  systems  to  enhance  hardware  relia- 
bility along  with  masking  of  faults  which  need 
not  be  permanent.  Very  elaborate  redundan- 
cy techniques  are  best  avoided  unless  an  ex- 
tremely thorough  investigation,  both  theoreti- 
cs/ and  practical,  has  been  made  of  the  pro- 
posed system.  Coverage  is  a term  used  to  de- 
scribe the  detection-switching-retention  pro- 
cess in  redundancy.  In  order  for  automatic 
redundancy  to  be  effective,  failed  units  must 
be  detected  accurately  and  without  false  a- 
larms,  then  the  spare  unit  (somehow  known 
to  be  good)  must  be  switched  in,  and  the  in- 
formation that  the  system  was  processing  can- 
not be  mangled  during  the  operation. 

There  are  redundant  (nonvoting)  systems 
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that  cannot  be  reduced  to  the  k-out-of-n  type. 
The  logic  diagrams  for  the  irreducible  net- 
works often  are  called  bridge  or  hammock 
networks  (bridge  because  of  the  similarity  to 
a Wheatstone  bridge;  hammock  because  the 
appearance  can  be  like  a rope  hammock).  The 
success  or  failure  events  €or  these  networks 
usually  are  more  complicated  than  simple 
series-parallel  networks.  Some  analytic  meth- 
ods of  reliability  calculation  do  not  hanale 
bridge  networks  very  well. 

There  are,  of  course,  many  kinds  of  re- 
dundancy which  are  not  easily  classified.  For 
example,  some  auxiliary  systems  to  be  used 
only  in  emergencies  are  not  equivalent  to  the 
systems  they  “replace”.  Another  example  is 
the  restructuring  kind  of  redundancy  where, 
if  a unit  fails,  other  units  are  restructured  to 
keep  the  system  going,  albeit  at  a reduced 
level. 
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CHAPTER  8 RELIABILITY  PREDICTION 
(PASSIVE  REDUNDANCY,  PERFECT  SWITCHING) 


8-0  LIST  OF  SYMBOLS 

is,iQ,it  - event  of  hort,  open,  or  good 
for  capacitor  i 

F = event  of  failure 
/e-out-of-n  :F  = special  kind  of  system 
&-out-of-n:G  = special  kind  of  system 

MTF  = Mean  Time  to  Failure  for  case 
i 

n - number  pf  logic  elements 
greatest  integer 

ni  - 

iR  = s-reliability  for  case  i 
R(yR  = element  s-reliabilities 

Rv  = s-reliability  of  the  voter 

(R.  — l-flj 

Rt  = 1 -R, 

s-  = denotes  statistical  definitions 

8-1  INTRODUCTION 

This  chapter  deals  with  the  simplest  of 
formulas.  The  probability  of  failure  of  each 
element  is  not  affected  by  its  active/standby 
status  nor  by  the  condition  of  other  elements. 
Switching  is  either  (a)  perfect,  i.e.,  switching 
and  all  of  its  ramifications  are  not  considered 
at  all;  or  (b)can  be  represented  adequately  by 
a block  in  the  logic  diagram. 

In  analyzing  a system  by  this  method,  the 
distinction  between  the  physical  situation  and 
the  logic  chart  always  must  be  kept  in  mind. 
Elements  that  are  physically  in  series  can  be 
logically  in  parallel  (it  depends  on  failure 
modes).  If  two  centrifugal  pumps  are  physi- 
cally in  tandem  and  one  stops  running,  the 
other  could  possibly  carry  the  load;  they 
would  be  logically  in  parallel.  Refs.  3-8  give 
many  formulas  for  system  reliability.  Series 
and  parallel  are  terms,  which  are  best  avoided 
when  precision  is  necessary. 

All  element  behaviors  are  conditionally 
s-independent  (the  “conditional”  is  to  empha- 
size that  unconditional  s-independence  is  rare- 
ly obtained). 


A k-out-of-n:G-system  has  n elements  and 
is  Good  if  and  only  if  at  least  k elements  are 
Good. 


Case  l./s-out-of-n:G,  allR,  = R 
n 


E 


Ri  Rn-i 


R"-'  R> 


(8-la) 


(8-lb) 


Case  2.  k-out-of-n '•?  , all  R -t  = R 
n 

(■) 

k 

TX  Jt 

- E (i) Rn" RI 

o 

Jc-l 

«2  = ^2  (")  & Rn-‘ 

o 

n 

= ^ ^ Rn-‘  R‘ 

n-k+l 


(8- 2a) 


(8-2b) 


Case  3.  l-out-of-n:G  (parallel) 

<fi3  = R1  R2  •••  Rn  ( 8-3 ) 


8-2  /c-OUT-OF*7  SYSTEMS 

A k-out-of-n  :F-system  has  n elements  and 
ESdls  if  and  only  if  at  least  k elements  Fail. 


Case  4.  l-out-of-n:G  (parallel),  all  Rt  -R 

= Rn  (8’4) 
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Case  5.  Lout-of-n  :F  (series) 

«s  = R1  Ro  •••  Rn  (8-5) 

Case  6.  l-out-of-n:F  (series), all  Rt  = R 

- i?"  (8'6> 

The  formulas  for  h-out-of-n  systems  when  all 
R,:  ?=  R are  not  tractable.  They  are  derived 
generally  as  shown  in  par.  8-4. 

8-3  COMBINATIONS  OF  SERIES-PARAL- 
LEL ELEMENTS 

Many  systems  can  be  considered  as  made 
up  of  series-parallel  combinations  of  elements. 
A convenient  technique  for  reliability  calcula- 
tions is  to  reduce  each  simple  combination  of 
series  or  parallel  elements  to  a single  element 
with  the  reliability  of  the  combination.  Exam- 
ple No.  1 (Fig.  8-1)  shows  how  the  reduction 
is  performed.  Fig.  8-1  (A)  shows  the  original 
logic  chart.  Each  block  is  an  element  and  is 
numbered.  Equivalent  blocks  are  numbered 
further. 

The  first  reduction  takes  place  as  follows 


(Fig.  8-l(A)  to  Fig.  8-l(B)): 

*14  = *7  *8  *9 

(8-7a) 

*14  - 

1“*14 

(8-7b) 

*15  ~ 

*10  *11 

(8-8a) 

*15  = 

1 “ *15 

(8-8b) 

*12  = 

*2  *3 

(8-9a) 

*12  ~ 

1~*12 

(8-9b) 

*13 

*4  *5 

( 8-1  Oa) 

*13  = 

1-*13 

(8-10b) 

The  second  reduction  is  as  follows  (Fig. 
8-l(B)  to  Fig.  8-1(0): 


*i6  = R 6 i?14  ( 8 - 1 1 a) 

*i6  = l-i?16  ( 8 - 1 1 b ) 

The  third  reduction  is  as  follows  (Fig. 
8-1(0  to  Fig.  8-1  ( D)) : 


*17  = R15R16  (8-1 2a) 

i?17  = 1 -R17  ( 8-1 2b) 

The  fourth  reduction  is  as  follows  (Fig. 
8-l(D)  to  Fig.  8-l(E)): 

*18  = *13*17  (8'13a) 

*18  - 1 *18  (8-13b) 

The  fifth  reduction  is  as  follows  (Fig. 
8-l(E)  to  Fig.  8-1  ( F) ) : 

=:  2 *18  (8- 14a) 

R19  = 1~*19  (8-1 4b) 

The  final  reduction  is  as  follows  (Fig. 
8-l(F)  to  Fig.  8-l(G)): 

*20  - *i  *19  (8- 15a) 

*20  - f *20  (8- 15b) 


Thus  a series  of  series-parallel  reductions 
has  solved  the  example  problem  in  Fig.  8-1. 
There  is  no  good  reason  to  combine  all  the 
formulas  into  one  expression;  it  would  be 
tedious,  long,  and  cumbersome. 

Not  all  systems  can  be  reduced  by  this 
technique,  but  a great  many  can.  If  the 
switching  is  not  perfect,  one  of  the  other 
techniques  is  better— if  for  no  other  reason 
that  not  all  failure  events  are  likely  to  be 
s-independent. 

8-4  EVENT  ANALYSIS 

When  logic  charts  are  not  series-parallel 
arrangements,  the  analysis  can  proceed  by 
looking  at  all  possible  events,  classifying  them 
into  appropriate  subsets  (e.g.,  system-good, 
system-degraded,  system-failure-type- 1 , sys- 
tem-failure-type-2).  Then  the  probability  of 
each  subset  is  calculated  by  the  rules  for 
evaluating  probabilities  of  combinations  of 
events  (Chapter  3). 

Logic  charts  generally  are  drawn  from  a 
physical  diagram  and  a knowledge  of  the  re- 
quirements for  success.  In  some  cases,  as  in 
Example  No.  2 (Fig.  8-2),  it  is  too  compli- 
cated to  draw  logic  diagrams;  instead  the 
events  are  listed.  There  are  three  possible 
states  of  each  capacitor  and  four  capacitors; 
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(A)  Initial  Logic  Chart 


(B)  First  Reduction  of  Logic  Chart 


OUT 


(C)  Second  Reduction  of  Logic  Chart 


(D)  Third  Reduction  of  Logic  Chart 

Series  combinations  are  1-out-of-rv.F;  use  Eq.  8-5. 

Parallei  combinations  are  l-out-of-niG;  use  Eq.  8-3. 

Find  the  system  reliability  and  unreliability. 

In  this  kind  of  diagram,  success  is  a continuous  path  from  input  to  output. 

FIGURE  8-1.  Logic  Diagrams  for  Example  No.  1. 
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INo 


OUT 


(E)  Fourth  Reduction  of  Logic  Chart 


IN  O [T] — Q9] 0 OUT 

(F)  Fifth  Reduction  of  Logic  Chart 


IN  Cr 


20 


OOUT 


(G)  Final  Reduction  of  Logic  Chart 

Series  combinations  are  1-out-of-rv.F;  use  Eq.  8-6 
Parallel  combinations  are  1-out-of-n:G;  use  Eq.  8-3. 

Find  the  system  reliability  and  unreliability. 

In  this  kind  of  diagram,  success  is  a continuous  path  from  input 
to  output. 

FIGURE  8-1.  Logic  Diagrams  for  Example  No.  I(cont'd) 


there  are  34  = 81  possible  combinations.  In 
order  to  simplify  Table  8-1,  the  capacitor 
numbers  are  listed  at  the  top  of  each  column, 
and  an  “o”,  “s” , or  “g”  put  in  the  column  for 
each  event.  An  “f”  indicates  Failed  for  the 
network;  a blank  indicates  Good.  It  is  failed  if 
( land  2 are  short)  U (3  and  4 are  short)  U ( 1 
and  4 are  short)  U (3  and  2 are  short)  U (1 
and  3 are  open)  U (2  and  4 are  open).  Table 
8-1  is  long  and  tedious.  The  events  can  be  put 
in  more  symbol  notation  and  give  the  same 
results,  i.e., 

F = (isn2s)U(3sn4s)U(isn4s)u(2sn3s) 

U(i0n30)u(20n40)  . (8-16> 


However,  the  events  in  the  Table  are  all  mutu- 
ally exclusive  whereas  the  events  in  parenthe- 
ses in  Eq.  3-16  are  not. 

It  takes  but  little  imagination  to  realize 
that  this  approach  can  get  out  of  hand  with 
very  little  complication  of  the  network  or 
system. 

8-5  CUTSETS 

A cut  set  is  an  event  (subset  of  the  sample 
space)  such  that  when  it  occults,  the  system 
fails  in  the  indicated  failure  mode.  A minimal 
cut  set  is  a cut  set  such  that  the  elimination  of 
any  element  renders  it  no  longer  a cut  set. 
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CAPACITOR  BRIDGE 


Capacitors  can  fail  open  or  short.  The  network  is  good  as  long  as  it  is  neither  open  nor  short. 
I implies  “open  circuit  of  capacitor  /" 

a 

,■  implies  “short  circuit  of  capacitor  /" 

L implies  ’’good  capacitor  i" 

FIGURE  8-2.  Physical  Diagram  for  Example  No.  2 


In  the  example  from  par.  8-4,  in  Fig.  8-2 
and  Eq.  8-16,  each  of  the  six  events  in  paren- 
theses in  Eq.  8-16  is  a minimal  cut  set.  The 
Pr{i?}  in  Eq.  8-16  can  be  calculated  by  an 
iterative  procedure  using  Eq.  2-20  which  pro- 
vides a series  of  upper  and  lower  bounds  on 
the  Pr  {FI. 

The  first  upper  bound  is  the  sum  of  the 
probabilities  of  each  of  the  six  events  in  pa- 
rentheses in  Eq.  8-16.  The  first  lower  bound  is 
found  by  subtracting  (from  the  first  upper 
bound)  the  sum  of  the  probabilities  of  the  1 5 
unions  of  each  pair  of  the  six  events.  The 
second  upper  bound  is  found  by  adding  (to 
the  first  lower  bound)  the  sum  of  the  proba- 
bilities of  the  20  unions  of  each  triplet  of  the 
six  events.  As  shown  in  Eq.  2-20,  the  unions 
are  taken  two,  then  three,  then  four,  then 
five,  and  finally  six  at  a time.  The  odd  ones 
(one,  three,  five)  are  added,  the  even  ones 
(two,  four,  six)  are  subtracted.  An  example  of 
the  procedure  is  shown  in  Ref.  1;  a FOR- 
TRAN program  for  performing  this  calcula- 
tion is  shown  in  Ref.  2. 

Even  though  the  principles  involved  are 
straightforward,  implementing  them  on  any 
reasonably  sized  system  can  be  very  tedious 
and  complicated. 

Chapter  7 “Cause-Consequence  Charts 
(and  Fault  Trees)”  of  Part  Two,  Design  for 


Reliability  , contains  further  information  and 
references  on  finding  minimal  cut  sets  for 
systems;  references  are  also  made  there  to 
automated  methods  of  finding  all  minimal  cut 
sets  for  a fault  tree. 

8-6  MAJORITY  VOTING 

In  majority-voting  redundancy  the  proper 
output  of  the  system  is  presumed  to  be  the 
output  of  the  majority  of  the  individual  logic 
elements  which  feed  the  voter  (Ref.  3).  The 
output  is  determined  by  the  voter,  which 
decides  what  the  majority  of  the  elements  in- 
dicates. The  system  gives  the  correct  output 
when  less  than  half  of  the  elements  have 
failed  and  when  the  voter  is  good. 

Case  7.  Simple  majority  voting 


where 

n = number  of  logic  elements 
nt  = greatest  “integer  < n/ 2” 

R,  = s-reliability  of  the  voter 
R,  = s-reliability  of  a logic  element 

= i - R, 
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TABLE  8-1 

STATES  OF  CAPACITOR  NETWORK  IN  FIG.  8-2 


12  3 4 

12  3 4 

12  3 4 

gggg 

S gg  g 

O gg  g 

ggg  s 

S g g s f 

0 g g s 

gggo 

S g g 0 

0 g g 0 

ggs  g 

S g S g 

0 g s g 

ggssf 

s g s s f 

o g s s f 

ggs  o 

s g s o 

o g s o 

ggo  g 

s go  g 

0 g 0 g f 

gg  0 s 

S g 0 s f 

o g 0 s f 

ggo  o 

s g o o 

0 g 0 0 f 

gsgg 

s s g g f 

0 s g g 

gs  g s 

s s g s f 

0 s g s 

g s g 0 

s s g o f 

0 S g 0 

gssgf 

sssgf 

ossgf 

gsssf 

ssssf 

o s s s f 

g S S 0 f 

S S S 0 f 

o s s o f 

gso  g 

S S 0 g f 

o s o g f 

g s o s 

S S 0 s f 

o s o s f 

g s o o 

s s o o f 

o s o o f 

gogg 

S o gg 

O o g g 

g 0 g s 

S 0 g s f 

O 0 g s 

g o g o f 

s o g o f 

0 0 g o f 

g O s g 

s o s g 

o o s g 

g o s s f 

s o s s f 

oossf 

g o s o f 

s o s o f 

o o s o f 

g o 0 g 

s o o g 

o o o g f 

g o o s 

s o o s f 

o o o s f 

g 0 0 0 f 

s o o o f 

o o o o f 

Eq.  8-17  assumes  that  failure  of  any  ele- 
ment is  absolute  (i.e.,  it  cannot  assist  in  giving 
the  correct  answer)  and  is  s-independent. 
Other  analyses  are  possible  which  make  other 
more  realistic  assumptions  about  the  failures. 

The  voter  itself  can  be  made  into  a major- 
ity element;  the  analysis  of  such  a system 
becomes  quite  complicated. 
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CHAPTER  9 RELIABILITY  PREDICTION  (TIME  DEPENDENT) 


9-0  LIST  OF  SYMBOLS 

esq f{x2  ,v)  - chi  square  Cdf  with  v degrees 
of  freedom 

csqfc  (x2 , v)  = 1-csqf  (x2 , v) 
f(t)  = pdf  of  t 

f(t),  g(t)  = pdf’s  for  elements  in  par.  9-6 

f = pdf  for  element  a in  par.  9-7 

Fa  = Cdf  for  element  oi  in  par.  9-7 

F(t),  G(t)  = Sf’s  for  elements  in  par.  9-6 

Fa  = Sf  for  element  cv  in  par.  9-7 
gauf(')  = Cdf  for  s-normal  (Gaussian) 
distribution 
gaufc  (• ) = 1 -gauf(-) 
fe  « ///X' 

AfTFj  = Mean  Time  to  Failure  for  case 
i 

pz-  , q j = element  s-reliability  and 
s-unreliability,  respectively, 
(Table  9-2) 

pdf  = probability  density  function 
R(t),  Rft)  = s-reliability  during  interval  0 
to  t 

<Rj  = s-reliability  for  case  i 
flj  = l-(flj 

s-  = denotes  statistical  definition 
Sf  = Survivor  function 
t - time,  time-to-failure 
t = a time  0 < t,  < t 
za  = standard  s-normal  variate 

0.  - an  MTF  for  situation  i 
X,  Xz  = failure  rates 
X'  X = failure  rates 

7 CL 

Xt  = dimensionless  “parameter” 
(i,  a - mean  and  standard  deviation, 
respectively,  for  an  s-normal 
distribution 

t = Xt',  time  interval  for  par.  9-9 

9-1  INTRODUCTION 

There  is  a multitude  of  formulas  for  cal- 
culating reliability  of  redundant  systems. 
Virtually  all  of  them  presume  conditional 
s-independence  of  the  elements.  It  is  impor- 
tant in  a practical  analysis  to  list  each  set  of 
conditions  under  which  s-independence  will 
hold. 

In  the  vast  majority  of  cases  in  analyses 
for  redundancy,  transition  rates  (e.g.,  failure 


and  repair  rates)  are  assumed  to  be  constant. 
Any  other  assumption  causes  many  complica- 
tions in  the  analysis. 

9-2  MEASURES  OF  RELIABILITY 


The  two  measures  most  frequently  used 
to  compare  the  effectiveness  of  redundancy 
are: 

1.  Mean  time  to  failure  (MTF)  of  the 
system— useful  when  mission  times  are  long 
compared  to  the  lives  of  elements. 

2.  Probability  of  failure  of  the  system- 
useful  when  mission  times  are  short  compared 
to  the  lives  of  elements. 

In  all  cases  in  this  volume,  the  proviso  exists 
on  all  formulas  that  the  indicated  operation  is 
“legal”  and  the  result  exists.  The  proviso  is 
satisfied  for  practical  reliability  problems. 

The  MTF  is  defined  as 

MTF  = ft  f{t)  dt  = f R{t)  At  (9-1) 

•'o  *'0 

where 

f( t)  = pdf  of  time  to  failure 
R(t)  = Sf  of  time  to  failure 

9-3  THE  EXPONENTIAL  DISTRIBUTION 


The  time-to-failure/?*// and  the  reliability 
function  (survivor  function  Sf)  of  the  expo- 
nential distribution  are,  respectively, 


f(t)  = Xe 
R(t)  = e~kt 


(9-2) 


where  X is  the  constant  failure  (hazard)  rate. 

All  failures  are  s-independent  and  all  standbys 
are  hot  (active). 

Case  1.  Two  elements  in  parallel  (1-out- 
of-2:G)  have  failure  rates,  X and  X.  . The 

’a  b 

s-reliability  St1(t)is 

aY(t)  = 1 - (1  -e-Mf)(l 

= + e~^a  + M )f 

(9-3a) 

MTF’  =I7+x-7-^TT6  (9-3b) 

Case  2.  Same  as  Case  1,  except  Xfl  = X^  = 
X (identical  elements),  then 
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a2(t)=e~xt 


(2-e'^), 


(9-4a) 


MTF2-2X _ (9-4b) 

Case  3.  m active-parallel  elements  (1-out- 
of-m:G,  hot  standby). 

a3(t)  = fl  (l-g-V)  (9- 5a) 

1*1 


MTF  3 = 


m 

,£  _l  _y"  _l_  + 
S',  w,- 


i./  =i 
i<; 


m 

E 

i.y.fe  « i 

i<i<k 


1 

\/+  \y+  \fe 


(9- 5b) 


Case  4.  Same  as  Case  3,  except  all 
elements  are  identical,  X.  = X for  all  /. 

a4(t)=(l-e~Xt)m  (9-6a) 

MTF,  = f £ 7 • (9- 6b) 

i 35  1 

9-3.1  RELIABILITY  IMPROVEMENT 

The  reliability  functions  for  a system  with 
in  parallel  (l-out-of-m:G,  hot  standby) 
elements  (m  - 1,2,3, 4,5)  and  X = X.  = 
constant  are  plotted  in  Fig.  9-1. 

Another  method  of  measuring  reliability 
improvement  is  to  calculate  the  ratios  (or 
differences)  in  MTF  of  two  systems.  Table  9-1 
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FIGURE  9- 1.  Reliability  Function  for  Systems  With 
m identical,  Active,  Parallel  Elements,  Each  With 
Constant  Failure  Rate  X (1-out-of-m:G) 


TABLE  9-1 

RATIOS  OF  MTF’S  FOR  m ACTIVE-PARALLEL 
ELEMENTS2 


m 

/0«  - 1 

i 

1.00 

- 

2 

1.50 

1.50 

3 

1.a3 

1.22 

4 

2.08 

1.14 

5 

2.28 

1.10 
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gives  the  ratios  of  MTF  for  9 /9  and 

9m/dm-i  -forjn  = 1,2, 3, 4, 5; 

where  6 . ~ MTF  for  i elements  as  given  by  Eq. 

9- 6b. 

From  Table  9-1  it  can  be  seen  that  the 
9 „ Id  m _ , maximum  occurs  when  m = 2. 

The  improvements  are,  in  most  cases,  the 
maximum  that  can  be  achieved.  If  the 
elements  have  more  than  one  failure  mode 
and/or  if  switching  is  imperfect,  the 
effectiveness  of  the  redundancy  is  reduced. 

9-3.2  REDUNDANCY  VERSUS  IMPROVED 
ELEMENTS 

A system  designer  may  have  the  option  of 
adding  redundant  elements  or  using  improved 
elements  in  a nonredundant  configuration  to 
increase  reliability  (Refs.  1 and  2).  The 
designer  must  consider  effectiveness,  cost, 
weight,  maintenance,  and  other  related 
considerations  in  making  his  choice. 

Case  5.  Two  alike  elements  are  connected 
in  active-parallel  (Case  2);  their  MTF  is 
3/(2X),  from  Eq.  9-4a.  To  obtain  the  same 
MTF  with  a single  improved  element,  the 
improved  element  must  have  X = 2X/3. 

The  s-reliability  fl5  of  the  improved 
element  is  = e-*t  = e-2At/3  (9.?a) 

MTFs  = & = £ (9-7b) 

The  s-reliabilities  <R2  and  <R  are  plotted  in 
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FIGURE  9-2.  Survivor  Functions  for  Two  Particular 
Systems  With  the  SameMTF 2 


Fig.  9-2.  From  the  figure,  the  redundant 
system  has  the  greater  reliability  up  to  Xt  * 
1.75.  After  that,  the  improved  single-element 
system  is  the  more  reliable.  The  point  of 
intersection  of  the  two  functions  will  change 
if  more  redundant  elements  are  added,  if  the 
degree  of  element  improvement  vanes,  or  if 
standby  redundancy  is  used. 

In  redundancy  applications,  there  is 
usually  one  time,  say  t\  when  the  reliability  of 
a nonredundant  system  with  improved 
elements  is  equal  to  the  reliability  of  a 
redundant  system  with  less  reliable  elements. 
When  t < t\  the  redundant  system  has  the 
greater  reliability.  When  t > t\  the 
improved-element  system  is  superior.  The 
choice  of  the  system  configuration  depends 
on  the  ratio  of  element  life  to  mission  time. 

9-4  THE  s-NORMAL  DISTRIBUTION 


where 

^ = mean  time  to  failure 

o = standard  deviation 

We  also  introduce  the  following  notation. 

gauf  (z)  = Cdf  of  the  standard  s-normal 
(Gaussian)  distribution  (/U=0, 
o=l),  the  probability  of  failure) 

gaufcfcj  = Sf  of  the  standard  s-normal 
• distribution  (the  reliability;  it  is 
the  complement  of  the  gauf(z). 
(thereliability) 

Case  6,  Two  elements  in  active  parallel 
redundancy  (l-out-of-2:G,  hot  standby);  each 
has  an  s-normal  distribution  of  time  to  failure 
with  parameters  Fa,°a  and/ufe  .r  .Define 


z 

a 


(9-9) 


From  Eq.  8-3,  the  probability  of  failure  is 
<Sts  = gauf  ) gauf  {zb ) (9-10) 

To  illustrate  Case  6,  assume  that  the  two 
components,  A and  B,  have  the  following 
parameters : 

Fa  = 300  hr  nb  = 400  hr 

oa  = 40  hr  ob  = 60hr  (9-11) 

In  order  to  evaluate  the  reliability  of  this 
redundant  unit  at,  say  350  hr,  the  following 
computation  is  performed  using  Eq.  9-9: 


z 


a 


350  hr  — 300  hr 
40  hr 


1.25 


350  hr  — 400  hr 
6 0 hr 


-0.833  (9-12) 


Now  refer  to  the  tables  of  the  s-normal 
distribution. 

Unreliability  or  probability  of 
failure  = gauf(l.  25)  gauf{— 0.833)  = 

0.8944  X 0.2026  = 0.1812  * 0.18  (9-13) 


The  s-normal  distribution  is  useful  to 
describe  many  systems  whose  failure  rate 
increases  “to  infinity”.  Wspdf'vs 

(9-8) 


9-5  OTHER  CONFIGURATIONS 

Table  9-2  lists  the  reliability  of  several 
combinations  of  elements.  The  last  column 
shows  the  MTF  under  the  assumption  that  all 
elements  have  an  identical  constant  failure 
rate. 
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n 


n (1 
) - 1 


n 


ti  (i  -^un 

/ = i 


[i  -oun 


n 


1 

A 


1-H  -pi,(t)Pl2(f)H1-P2l(f)P22U)l 


3 

4A 


<o 

A> 


TABLE  9-2.  RELIABILITY  FUNCTIONS  FOR  VARIOUS  ACTIVE-PARALLEL  (l-out-of-n:  G(  CONFIGURATIONS2  (cont'dl 


6.  Parallel-Series/n  X n 
(a)  General  case 

m 

i - riji  ~Pilu)pnU)...Pin{t)\ 

i-i 

(b)  Identical  elements 
in  paths 

1-11  -Pi(f)Pa(f)  ...pn[t)\m 

(c)  Identical  elements 

1-H  -pU)n]m 

7.  Partial  Redundancy 
(require  at  least  k 
satisfactory  elements) 

(a)  Identical  elements 

Y,lk  V^'11 

i y L 

nk  < 

/-I 


Element//  refers  to  the  element  in 

Notation 

p(r)  = element  reliability  function  / 

When  elements  have  exponential  failure 

the  /th  row  and/th  column: 

oo 

p<//with  failure  rate  X, 

/-  1,2 m;j=  1,2 n. 

= / f[t)dt 

3^ 

**■* 

li 

ii 

I 

V 

q{t)  = 1 -p(f) 

= element  unreliability  function. 
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Notation  for  Table  9-2: 

p.  = survival  probability  of  element  i 

= 1~  Pi 

X = common  constant  failure  rate 
for  last  column. 

If  the  failure  rates  are  neither  common  nor 
constant,  the  MTF  is  tedious  and  difficult  to 
calculate.  As  an  example,  assume  the 
redundant  system  in  Fig.  9-3.  System 
reliability  can  be  determined  from 

ifts(fj  = e-Xaf[e-Xb  f +e~Xc‘ 

— g~  (A’b+A.c)jX  [e~ 

+ e-xrf  - e_<^d  + *e  + V>'].  (9-14) 

= Tj  e~Kit  -E  e~x“>  (9-tfj 

i-  1 i-6 

where 

xr  = xa  + Xb  + Xr  = 0 020 

X2  = K + + A’  + = 0 022 

X , s X + X + Xw  + X = 0.027 

3 a c d e 

x4  s Xa  + XC  + X^  = 0.025 
x5  = X + xb  + XC  + A,  + + = 

0.037 

X„  = \ + x + X . + X + X = 0.027 

6 a b d e r 

X,  = X +X  + \+ \ +X  =0.032 

7 a c d e f 

XH  = X + + X +X  + X - 0.032 

8 abode 

\ = Xa  +Xb  +Xc  +Xf=  0-030-  (9‘16) 


The  MTF  is  computed  by  integrating  the 
reliability  function: 

MTF  - E f X--199.5- 

i=l  1 i=6  1 

132.9  = 66.6.  (9-17) 

9-6  s-DEPENDENT  FAILURE  PROBABIL- 
ITIES 

Up  to  this  point,  it  has  been  assumed  that 
the  failure  of  an  active  redundant  element  has 
no  effect  on  the  other  active  elements. 

However,  the  opposite  condition  often 

arises— the  failure  of  one  element  does  affect 
the  others.  For  example,  consider  the  block 
diagram  in  Fig.  9-4.  A and  B are  both  fully 
energized,  and  normally  share  or  carry  half 
the  load— L/2.  If  either  A ,or  B fails,  the 
survivor  must  then  carry  the  full  load.  Hence, 
the  probability  that  one  (say  B)  fails  depends 
on  the  state  of  the  other  if  failure  probability 
is  related  to  load  or  stress.  A simple  example 
would  be  a 2-engine  airplane  which,  if  one 
engine  fails,  can  still  keep  flying.  However, 
the  surviving  engine  now  has  to  carry  the  full 
load  and  has  a higher  probability  of  failing. 

For  this  relatively  simple  example,  the 
reliability  function  can  be  derived  by 
considering  all  possible  ways  of  system 
success,  as  shown  in  Fig.  9-5.  The  bar  above  a 
letter  represents  failure  of  that  element.  The 
prime  represents  operation  of  that  element 


Xa  =0.0100  \c  =0.0100  Xe  =0.0033 

\b  = 0.0050  \d  = 0.0033  \f  = 0.0050 

For  convenience,  the  X has  been  taken  as  dimensionless. 
Actually,  the  MTF  will  have  the  reciprocal  dimension  of  the  X. 

William  H.  Von  Alven,  EL,  Reliability  Engineering,  © 1964 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
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FIGURE  9-3.  illustrative  System 2 
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under  full  load;  absence  of  a prime  represents 
operation  under  half  load. 

The  derivation  is  as  follows.  Let 

/(f)  = failure-time  pdf  of  each  element 
when  both  elements  are  operating; 

F(t)  - Sf  correponding  to  f( t) 

g(t)  = element  failure-time  pdf  of  the  un- 
failed element  when  one  element 
has  failed; 

<5(0  - Sf  corresponding  to  g( t) 
tx  < t - some  point  in  time 

L = full  load 

The  system  operates  satisfactorily  at  time 
t if  either  A or  B both  are  operating 
successfully.  Under  the  assumption  that  the 
elements  are  s-independent  if  both  are 
operating,  the  probability  that  both  will 
operate  until  time  t is 

[F(t)]2  (9-18) 

The  pdf  for  one  element  failinS  at  time  ^ and 
the  other  surviving  to  tx  under  L/2  and  from 
t,  to  t under  L is 

f(t1)F(t1)G(t-t1)  (9-19) 

Since  t,  can  range  from  0 to  t,  this  pdf  is 
over  that  range,  and  the  resulting 
probability  is  doubled  because  the  event  can 
occur  in  either  of  two  ways.  Hence, 

R(t)  = [F(t)]2  + 2 j f(tx) 

o 

F(tl)G(t-t1)dtx  (9-20) 


Time  axis  — | , 

0 1 t 


Condition 

(1) 

AB 

AB 

(2)  . 

■A 

8'  | 

AB 

(3)  . 

■B 

Success  = Conditions (1 ),  (2),  or  (3) 
FIGURE  9-5.  Time  Sequence  Diagram2 


Special  Case.  The  element  failure  times 
are  exponentially  distributed  and  each  has  a 
parameter  X under  load  L/2,  and  X under  load 
L.  Define 

k = X/X.  (9-21) 

The  solution  of  Eq.  9-20  is 

R(t)  = [2  exp  (— Xt)  — k exp  (— 2Xt)]/ 

(2-k),k*2  (9-22) 

R(t)  r (2Xf+l)  exp  (~2Xt),  k = 2 (9-23) 

The  system  MTF  is 

+ h (9-24) 

When  k = 1,  load-sharing  is  not  present, 
i.e.,  increased  load  does  not  affect  the 
element  failure  probability.  This  assumption 
was  made  in  the  previous  discussions  of 
active-parallel  redundancy.  If  there  were  only 
one  element,  it  would  be  operating  under  full 
load;  therefore,  the  system  MTF  would  be  1/X 

= l/(feX). 

A single  improved  element  can  be  used  as 
an  alternative  to  redundancy  when  this 
s-dependent  model  is  assumed.  The  effects  of 
using  improved  single  elements  or  redundant 
standard  elements  can  be  illustrated  as 
follows.  Consider 

A:  Single  standard  element;  X = 1/50 

B:  Single  improved  element;  X = 1/100 

C:  s-Dependent  model,  standard  elements; 
X (half  load)  = 1/100,  X'  (full  load)  = 
1/50. 
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The  MTF’s  and  s-reliability  functions  of 


these  three  configurations  are 

MTFa  = 50  (9>25a) 

RA(t)  = e-t/5°  (9-25b) 

MTFb  = 100  (9-26a) 

Rg(t)  = e~t/10°  (9-26b) 

MTFC  = 100  (9*27a) 

Rc(t)  = e~t/50(l+  t/ 50).  (9-27b) 


The  s-reliability  functions  are  shown  in 
Fig.  9-6.  Although  systems  B and  C have  the 
same  MTF,  the  redundant  system  has  greater 
reliability  in  early  life.  After  approximately 
12  5 hours,  the  improved  single-element 
system  is  superior.  If  such  factors  as 
effectiveness,  cost,  weight,  and  complexity 
are  approximately  equivalent  for  systems  B 
and  C,  the  choice  would  depend  on  the 
Required  Time  of  Operation  for  the  system. 

9-7  STANDBY  REDUNDANCY 

In  a system  of  redundant  elements  that 
are  completely  on  standby,  the  standby 
elements  are  cold  (have  zero  failure  rate)  until 
the  primary  element  fails  (Ref.  2).  The 
necessary  switching  is  perfect. 

Case  7.  The  system  contains  two 
elements,  A and  B:  the  reliability  function  can 
be  found  as  indicated. 


Time  t,  hr 

William  H.  Von  Alven,  Hi. , Reliability  Engineering,  3 19S4 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
of  Prentice-Hall,  Inc.,  Englewood  Cliffs,  NJ. 

FIGURE  9-6.  s-Reliability  Functions  for  Redundant 
Configuration  (DependentModel)  and  Nonredun- 
dant  Configurations' 


The  system  will  be  successful  at  time  t if 
either  (lettingA  be  the  primary  element): 

1.  A succeeds  up  to  time  t.  or 

2.  A fails  at  time  < t and  B operates 
from  t1  to  t. 

Fig.  9-7  shows  these  two  conditions.' 

R(t)=Fjt)  + ^ fa(tl)Fb(t—tl)  dtl  , 

o (9-28) 

The  first  term  of  Eq.  9-28  is  the 
probability  that  element  A will  succeed  until 
time  t.  The  integrand  is  th epdf  of  A failing 
exactly  at  t,  and  B succeeding  for  the 
remaining  (t  — t,  ) hours.  Since  C can  range 
from  0 to  t,  t is  integrated  over  that  range. 

Case  8.  Same  as  Case  7,  but  for  the 
exponential  case  where  the  element  failure 
rates  are. <\  and  A 


\h  - \g 


e Xbty\a 


x (9-29a) 

b 


R(t)  =e~Kt(l  + Xt),  xa  = Ab  = X.  (9-29b) 

It  does  not  matter  whether  the  more  reliable 
element  is  used  as  the  primary  or  the  standby 
element. 

Case  9.  Same  as  Case  8 except  there  are 
n elements  each  with  parameter  A. 


n — 1 

& (t)  =e~xtYj 

r- O 


(\t)r 

~7i 


(9-30a) 


MTF9  = nfx 


(9-30b) 


Time  Axis  ■ 
C 

Condition 
(1)  ■ 


(2) 


*1 

A 


— H 

t 

■S* 


William  H.  Von  Alven,  Ed.,  Reliability  Engineering ,3  1964 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
of  Prentice-Hall,  Inc.,  Englewood  Cliffs,  N J. 

FIGURE  9-7.  Time  Sequence  Diagram  for  Standby 
Redundancy2 
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9-7.1  SWITCHING  FAILURES 


Case  10.  The  following  notation  will  be 
used  for  a 2-element  standby  redundant  unit 
requiring  a decision-and-switching  device  that 
switches  in  one  direction  only  (Ref.  2): 

f(t),fb(t)  = failure  pdf’s  of  elements  A and 
B 


f ,{t)  = failure  pdf  of  element  B when 
on  standby 


fx(t)  = conditional  contact  failure  pdf 

(failure  of  the  contact  to 

naantadn  a good  connection, 

given  that  a good  connection 
initially  existed) 

fy  (t)  = conditional  dynamic  failurepi// 
(failure  to  switch,  given  that  A 
has  failed) 

f (t)  = conditional  static  failure  pdf 

(switching  when  not  required) 
required) 

Fa,  Fa  = Cdf  and  Sf  corresponding  to  fa , 
a =a,  b,  6,  x,  y,  z 


fx(t),  fy(t),  and  fz{t)  refer  to 
decision-and-switching  device  failures  which 
may  not  be  timedependent.  If  these  failures 
are  not  time-dependent,  the  appropriate 
failure  pdf  is  replaced  by  a constant 
probability  of  failure. 

ai0(t)=Fx(t)\Fz(t)Fjt)  + J*  [Fa(tx) 

0 


This  equation  represents  a general  case  in  that 
the  following  possibilities  are  included : 

1.  A and  B can  be  different  elements. 

2.  A static  failure  can  occur  if  B is 
energized,  resulting  in  no  output  or  a false 
indication  of  system  failure.  If  a static  failure 
cannot  occur  when  B is  energized,  then  ^(t) 

= 1. 

3.  B can  fail  while  on  standby,  and  its 
failure  pdf  can  be  different  from  that  when  B 
is  energized.  If  B is  a “cold”  rather  than  a 
“warm”  or  “hot”  reserve,  fb>(t)  = 0,  Fb{t)  = 1. 

Case  11.  Same  as  Case  10,  but  identical 
elements  (A  and  B)  with  constant  failure  rate 
A , = XB  - X and  cold  standby.  Eq.  9-31 

becomes 

+ [i  + V + r7 

(1 -«-*»')].  (9-32) 

Case  12.  Same  as  Case  11,  but 


then,  since 

lim  ( i 

X ^0  ( 

y 


R12(t)  = e~At(l  +Xt). 

which  agrees  with  Eq.  9-29b,  as  it  should.  The 
effects  of  imperfect  switching  also  are 
analyzed  in  Refs.  4,6,7. 


dtl  + J'  [ f,(‘2)F,<t2)Fy(t2) 

0 

|.  (9.3i) 

In  Eq.  9-31,  the  first  term  inside  the  brackets 
represents  the  probability  that  A operates  to  t 
without  premature  switching.  The  second 
term  represents  the  probability  that  a static 
failure  occurs  at  time  tx  < t,  but  B operates 
to  t.  The  last  term  represents  the  probability 
that  A fails  at  time  t,  < t and  the 
decision-and-switching  device  switches  to  B 
(no  dynamic  failure),  which  operates  to  t. 


9-7.2  OPTIMUM  DESIGN:  GENERAL 
MODEL 

Case  13.  There  are  n redundant  paths 
with  (n  — l)in  cold  standby,  and  each  path 
requires  a switching  device.  In  this  model,  the 
monitor  represents  the  failure-detection  and 
switching-control  functions.  These  two 
functions  can  be  considered  as  one  for 
reliability  purposes  if  it  is  assumed  that  the 
probability  of  compensating  errors  is 
negligible.  All  failure  distributions  have 
constant  failure  rates. 

The  following  assumptions  are  made  when 
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computing  the  reliability  of  these  systems 
(Ref.  2): 

1.  Switching  is  in  one  direction  only. 

2.  Standby  (reserve)  paths  cannot  fail  if 
not  energized. 

3.  Switching  devices  ought  to  respond 
only  when  directed  to  switch  by  the  monitor; 
false  switching  operation  (static  failure)  is 
detected  by  the  monitor  as  a path  failure,  and 
switching  is  initiated. 

4.  Switching  devices  do  not  fail  if  not 
energized. 

5.  Monitor  failure  includes  both  dynamic 
and  static  failures.  The  monitor  is  a “series” 
element  in  the  system. 

Define  terms  as 

X = total  (sum)  failure  rate  of  the  series 
elements  in  a path 

Xs  = failure  rate  of  the  switching  device 
(includes  contact  failure) 

. = failure  rate  of  the  monitor 

m 

then,  for  n total  paths, 

<R13  (t)  = e~Xm  1 1 e~(-x+Xs)t 


X 


i/ 


} 


(9-33) 


To  illustrate  the  reliability  gain  provided 
by  this  model,  assume  that  the  system 
specification  requires  a high  reliability  for  a 
mission  of  t hours.  A nonredundant  system 
therefore  would  have  a reliability  of 


fl13(r)=exp  (— Xm  t)  csqfc  (2r(l  + ^ ),2n) 

(9-35b) 

where 

f(x2  ,v)  = chi  square  Cdfwith  v 
degrees  of  freedom 

csqfcix2  ,v)  = 1 - esq  fix2  ,v)  = 

complement  of  the 
esqf 

(named  in  analogy  with  the  error  function) 


The  maximum  reliability  for  a fixed  r that 
can  be  achieved,  as  n -*•  00 , is  exp(— Xm  t). 
Therefore,  if  \m  > A,  (monitor  is  worse  than 
an  element)  the  optimum  design  has  1 
element  and  no  switching/monitoring. 

Eq.  9-5  is  a function  of  X^X,  Xm , and  r . 
The  mission  reliability  of  the  redundant 
system  can  be  calculated  as  a function  of  the 
parameters  in  Eq.  9-35.  Table  9-3  and  Figs. 
9-8  and  9-9  show  some  of  these  calculations. 

Table  9-3  shows  how  system  reliability  is 
influenced  by  the  number  of  paths,  if  the 
switching  device  and  the  monitor  hate  failure 
rates  that  are  1,  1/10,  and  1/100  as  great  as 
the  path  failure  rate. 

In  Fig.  9-8  the  reliability  of  the  redundant 
system  is  given  as  a function  of  the  number  of 
paths  for  various  ratios  of  Xm  /A  when  Rj  3 (t) 
- 0.80;  arbitrarily,  Xs/X  =1/1000.  Fig.  9-9  is 
similar  except  that  Xm  /X  = 1/1000,  and  Xs/  X 
varies. 


R1(t)=e~xt,  (9-34a) 

since  no  switching  is  required.  The  redundant 
system  would  have  an  s-reliability  given  by 
Eq.  9-33. 

Rnit)=R13(t)  (9-34b) 

Define  r = At  and  substitute  for  t in  Eq. 
9-33,  except  in  the  X term. 

«13(t  ) = exp(-Xm  t ) exp  [-(1  + ^-)  r] 

71—1  x 

Y [U  + ^r)1 

i * 0 a (9-35  a) 


The  following  general  conclusions  can  be 
drawn  from  this  paragraph: 

1.  As  the  number  of  redundant  paths 
increases,  the  mission  reliability  approaches 
the  reliability  of  the  monitor. 

2.  When  the  failure  rates  of  the  path,  the 
switching  devices,  and  the  monitor  are  equal; 
standby  redundancy  with  two  paths  results  in 
a mission  reliability  considerably  less  than 
that  of  a single  nonredundant  path. 

3.  For  systems  where  the 
switching-device  and  monitor  failure  rates  are 
less  than  the  path  failure  rate,  the  greatest 
increase  in  reliability  occurs  when  one 
redundant  path  is  added  to  a single  path. 
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TABLE  9-3.  EFFECT  OF  REDUNDANCY,  CASE  13 

4.S8  4.88  4.88  9.52  9.52  9.52  18.1  18.1  18.1 

(13.9)  (5.81)  (18.4) 

2 

Cold  standby;/!  elements  total;  imperfect  switch  and  monitor;  constant  failure  rates. 


Failure  probabilities  listed  in  the  body  of  the  Table. 


r = 0.05 

r = 0.10 

T 

= 0.20 

n 7 

1 

0.1 

0.01 

1 

0.1 

0.01 

i 

0.1 

0.01 

1* 

4.88 

4.88 

4.88 

9.52 

9.52 

9.52 

18.1 

18.1 

18.1 

(1**) 

(13.9) 

(5.81) 

(4.97) 

(25.9) 

(1  1.3) 

(9.66) 

(39.3) 

(21.3) 

(18.4) 

2 

5.32 

0.654 

0.174 

11.1 

1.47 

0.578 

23.2 

4.05 

1.98 

3 

4.96 

0.502 

0.052 

9.62 

111 

0.192 

18.8 

2.13 

0.319 

OO 

(monitor  only! 

4.88 

0.499 

0.050 

9.52 

0.995 

0.100 

18.1 

1.98 

0.200 

* No  monitor  or  switch 

**  To  show  trends  only;  actually  it  is  "lov.  impractical  to  have  switch  and  monitor  with  only  1 unit 


T = \t,  A = element  failure  rate 
Aj,  Am  = switch  and  monitor  failure  rates,  respectively 
y = As/A  3 Aj/A  for  this  Table 


4.  For  a given  path  and  switching-device 
failure  rate,  reliability  improvement  increases 
rapidly  as  the  monitor  failure  rate  decreases 
and  the  number  of  redundant  paths  increases. 
The  same  is  true  if  the  monitor  failure  rate  is 

held  constant  and  the  switchingdevice  failure 
rate  decreases. 

5.  Important  improvement  in  mission 
reliability  through  redundancy  results  frcm 
the  use  of  switching  devices  and  monitors  that 
are  much  more  reliable  than  the  path  being 
switched. 

9-8  ACTIVE  VERSUS  STANDBY 
REDUNDANCY 

For  the  basic  models  s-independent 
elements,  perfect  switching,  and  perfect 
reliability  of  de-energized  elements),  the 


reliability  equations  (along  with  intuition) 
indicate  that  standby  redundancy  is  superior 
to  active  redundancy. 

However,  elements  are  not  always 

s-independent;  switching  is  rarely  perfect;  and 

certain  parts  and  components  can  fail  without 
being  energized.  Therefore,  it  is  most  unlikely 

that  the  simple  standby  system  analyzed  so 

far  will  be  representative  of  practice. 

9-9  MAINTENANCE  CONSIDERATIONS 

The  previous  analyses  of  redundancy  were 
based  on  the  assumption  of  unattended 
system  operation.  If  maintenance  is 
considered,  even  greater  reliability 
improvements  can  be  achieved.  Sec  also  Refs. 
4-7. 
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William  H.  Von  Alven,  Ed.,  Reliability  Engineering , © 1964 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
of  Prentice-Hall,  Inc.,  Englewood  Cliffs.  NJ. 

FIGURE  9-8.  Mission  Reliability  forn  Redundant  Paths,  Case  13,  when 
fl,  ft)  = 0.80  (T  = 0.223)\/\  = 0.001  (Ref.  2). 


9-9.1  PERIODIC  MAINTENANCE  (Ref.  2) 

Case  14.  The  following  procedure  will  be 
assumed : 

(l)Periodic  maintenance  is  performed 
every  T hours,  starting  at  time  0.  (2)  Every 
element  is  checked,  and  any  one  which  has 
failed  is  replaced  by  a like-new  and 
statistically  identical  component. 

Maintenance  is  perfect  in  that 
repaired/replaced  units  are  good-as-new,  no 
damage  is  done  to  the  rest  of  the  system,  and 
the  repaired  system  is  good-as-new.  In  short, 
every  T hours  the  system  is  restored  to 


FIGURE  9-9.  Mission  Reliability  for  n Redundant 
Paths,  Case  13,  when  Rl(t)  = 0.90(t  = 0.223) 
\mA  = 0.001  (Ref.  2) 


t = time  since  latest  (number  ;) 
repair 

j = .0,1,2,  ...  (repairnumber) 
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and 

R 1 4 = RT(t),  the  s-reliability 
function  of  a redundant  system  in 
which  maintenance  is  performed 
every  T hours 

Let  R{t)  be  the  s-reliability  of  the  system 
during  a period  when  no  maintenance  is  done. 
Then  for;  = l,r  =0, 

Rt(T)=R(T).  (9-36) 

If  j = 2 and  r = 0,  the  system  has  to  operate 
the  first  T hours  without  failure  of  any 
redundant  configuration.  Aftet  replacement 
of  all  failed  elements,  another  T hours  of 
failure-free  system  operation  are  required; 
hence 

Rt(2T)  =[R(T)}2.  (9-37) 

If  0 < r < T,  then  an  additional  r hours  of 
failure-free  system  operation  are  required,  and 

Rt(2T+  t)  =[R(T)]2R(t).  (9-38a) 

In  general, 

Ria  =RT{jT+  t)  = [R(T)]jR(t)  (9-38b) 

where 

j = 0,  1,  2,  ...  ; 0 < r < T. 


(T 

j R ( r id  r 


(9-39) 


The  effect  of  periodic  maintenance  can  be 
illustrated  in  the  example  that  follows.  Two 
identical  elements  with  constant  failure  rates 
of  1/(100  hr)  are  placed  in  an  active-parallel 
configuration  (l-out-of-2:G,  hot  standby). 
Compare  the  reliability  functions  and  MTF's 


for  T = »,  150,  100,  50,  and  1 0 hr  (Ref,  2). 
Use  Eq.  9-4a  for  R(t). 

Reliability  functions  follow: 

1.  No  maintenance:  (T  = «) 

RT(t)  = R(t)  = 2e~tno°  — e-t/5° . 

(9-40) 

2.  With  maintenance:  (!P=;T+  7,-0<r 

< D 

For  T = 150  hr: 

* Rr(t)  = [26-1-5  - e~3y[2e~  r/10° 

— e~  T/5° ].  (9-41) 

For  T=  100  hr: 

RT(t)  = [20-1  - e~*y[2e~  r/10° 

— e~  T/50].  (9-42) 

For  T = 50  hr: 

RT{t)  = [2<T0-5  - e~1y'[2e~  rao° 

- f/50i 

-e  F (9-43) 

For  T=  10  hr: 

RT{t)  = [2e-0'1  — e~°-2y 


[2e 


~ r/ioo 


'e~  7/u>j. 


(9-44) 


The  reliability  functions  are  plotted  in  Fig. 
9-10,  From  0 to  10  hr,  all  five  functions  are 
identical  since = 0 over  this  period  for  each 
system. 


MTF  is  calculated  using  Eq.  9-39. 


MTF 


1 

f 


R ( T )d  r 


14 


1 - R (T) 
T 


/ 


(a.~  r/10°-  T/50]d 


o 


2eT/100  + e-TI  50 


- 1 50  4-  5Qe~T/50  — 2QOe~  T /100 
1 - 2e-T/100  + e-TI 50 

(9-45) 
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William  H.  Von  Alven,  Ed.,  Reliability  Engineering ,©  1964 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
of  Prentice-Hail,  Inc.,  Englewood  Cliffs,  N J. 

FIGURE  9- 10.  s-Reliability  Functions  for  Active-parallel  Configuration  Case  14on 
Which  Maintenance  Restored  to  Like-new  is  Performed  Every  T hours  (Ref.  2). 


The  MTF’s  for  the  various  T s follow: 


T,  hr 

MTFU 

CO 

150 

150 

179 

100 

208 

50 

304 

10 

1097 

Considerable  increase  in  MTF  (and 
reliability)  can  be  achieved  by  a perfect 
preventive  maintenance  policy. 

9-9.2  CORRECTIVE  MAINTENANCE 

Reliability  functions  for  some  simple 
2-unit  redundant  designs,  for  which  repair  of 
a failed  unit  is  possible,  were  developed  by 
Epstein  and  Hosford,  and  are  summarized  in 
this  paragraph  (Refs.  2 and  3). 

At  t = 0,  all  elements  are  good.  Repair 
starts  immediately  upon  failure  of  a unit  and 
is  perfect.  The  failure  and  repair  rates  are 


constant  (independent  of  time).  Three  designs 
will  be  considered  —Cases  1 5,  16, and  1 7. 

Case  1 5 . Two  units  in  active  redundancy. 
The  constant  fdure  rate  of  each  unit  is  X and 
the  constant  repair  rate  is  p . 

3 9 t Sit 

^ ,,,  * — *2 e L 

= n - s2  >S1  * s2  (9-46) 


SjH  >/2[3(X+£0  -VX2  +6XA1  I'M2]  (9-4 7a) 

s2  = Vi[3(X+M)  + VX2'+  6X#r  +p2]  (9-47b) 


MTF15  _ (9-48) 


Case  16.  Two  units  in  standby 
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redundancy.  Constant  unit  failure  rate  is  X;  Case  17.  Two  units  in  standby 

constant  unit  repair  rate  is  M.  redundancy.  It  takes  exactly  r hours  to  repair 

a faded  unit.  Constant  failure  rate  is  X. 


(9-49) 


[f/r  1+1 


&„(t)  = 


-£ 


= V2( 2X  + p — Vm2  t ) (9-50a) 


[1  - (i-Dr/t)1. 


(9-52) 


s4  a V2(2X  + n + Vm2  + 4Xp).  (9-50b) 

MTF16  =^7^  (9-51) 


where 

[f  / r]  = greatest  "integer < f/r  ". 
i = exact  number  of  failures 

A plot  of  the  reliability  functions  foy- 
these  circuits  is  gwen  in  Fig.  9-1 1. 


0 5 10  15  20  25  30  35  40  45  50 


Xf 

William  H.  Von  Alven,  EH,  Reliability  Engineering ,©  1964 
by  ARINC  Research  Corporation.  Reprinted  by  permission 
of  Prentice-Hall,  Inc.,  Englewood  Cliffs,  NJ. 

FIGURE  9-1  1.  Comparison  of  ^-Reliability  Functions  for  Three  Maintenance 
Situations  Cases  75,  16,  and  17  (ref.  2). 
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CHAPTER  10  RELIABILITY  PREDICTION  (GENERAL) 


10-0  LIST  OF  SYMBOLS 


a 

— 

par  10-2. 4, element  s-reli- 
ability 

A£,S 

= 

elements  (par.  10-4) 

AnrBn 

= 

coefficients 

c,o 

= 

event  of  contact  Closure 

>a,-Db> 

or  contact  Open 

,sb  ,SC 

= 

events  (par.  10-4 . 2) 

F 

= 

Ou  C 

f,g 

sx 

s-unreliability  of  binary 
unit  or  gate  (par.  10-3.3) 

Fc 

= 

1-Re 

Fix  ’Fu 

= 

failure  probabilities  (par. 
10-3.3) 

K 

= 

2 M 

m 

number  of  chains  (par. 

10=4.2) 

M 

number  of  parts  in  sys- 
tem (par.  10-3.3) 

MVT 

= 

Majority  Vote  Taker 

P 

element  s-reliability ; par. 
10-2.4,  proportion  of 
open  failures 

P 

= 

number  of  units 

PW) 

= 

probability  of  ii ; ^ is  any 
event  (par.  10-4.2) 

Pa 

= 

Pr {contact  fails  to  close} 

Pb 

= 

Pr{ contact  fails  to  open} 

Pv 

= 

s-reliability  of  MVT 

Pi! 

= 

s-reliability  of  element  ij 

Pr{} 

SB 

probability  of  ... 

Q 

= 

1 ~P 

~ 

failure  probabilities  (par. 
10-4.1) 

= 

1 “ Pi! 

Wo 

probabilities  of  failing 
short  or  open 

4V 

- 

failure  probability  of 
voter 

4* 

1 ~Pa 

Q< 

failure  probability  for 
event  i (par.  10-4 . 1) 

Qi 

= 

s-unreliability  of  circuit  i 

Pc 

— 

s-reliability  of  chain  (par. 

10-4.2) 

R0 

s-reliability  of  nonre- 
dundant  device  (par. 

10-4.2) 

R,RS 

= 

network  s-reliability 

Rq 

s-reliability  of  elements 
and/or  systems  (par. 

10-3.3) 

s- 

~ 

denotes  statistical  defini- 
tion 

Sj 

a,at. 

set  for  minimal-cut; 

dA,pm 

= 

notation  (par.  10-3.4) 

X , Xa 

failure  rate;  failure  rate 
of  element  cy 

4/ 

not  4/ ; is  any  event 

(par.  10-4.2) 

= 

failure  pdf  for  cy  (par. 

10-4.1) 

% 

= 

Cdf  for  a (par.  10-4 . 1) 

<f> 

a 

= 

Sf  for  a (par.  10-4 . 1) 

2n  + 1 

number  of  identical  cir- 
cuits feeding  an  MVT 

= 

...is  a member  of  ... 

u 

union 

10-1  INTRODUCTION 

Three  main  forms  of  redundancy  (Fig. 
10-1)  will  be  discussed  in  this  chapter,  namely 

1.  Nondecision  redundancy 

2.  Decision  redundancy  without  switch- 
ing 

3.  Decision  redundancy  with  switching. 

Nondecision  redundant  structures  do  not 
require  external  components  to  perform  the 
functions  of  detecting,  decision,  and  switch- 
ing when  an  element  or  path  in  the  structure 
fails.  Examples  are  Moore-Shannon,  single 
mode  series-parallel,  single  mode  binomial, 
and  bimodal  series-parallel. 

Decision  redundant  structures  without 
switching  require  an  external  element  to 
detect  and  make  a decision  when  an  element 
or  path  in  the  structure  fails,  but  do  not  need 
an  external  element  to  perform  the  switching 
function.  Examples  are  majority  logic,  multi- 
ple line  networks,  gate  connector,  and  coding. 

Decision  redundant  structures  with 
switching  are  those  in  which  external  ele- 
ments are  required  to  detect,  make  a decision, 
and  switch  to  another  element  or  path  to 
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Form  of 
Redundancv 


Multiple  Line 
Networks 


L 


Oecision 
With  Switching 


L 


Operating 


FIGURE  10-1.  Redundancy  Tree  Structure' 


replace  a failed  element  or  path.  Examples  are 
standby,  operating,  and  duplex. 

For  each  of  the  redundancy  forms , several 
major  characteristics  will  be  covered  to  permit 
uniformity  cf  carparison.  Each  of  the  forms 
will  be  defined  and  illustrated.  Where  feasible, 
reliability  block  diagrams  and  the  mathe- 
matical model  for  each  form  will  be  given.  All 
of  the  time-dependent  models  assume  that  ail 
components  are  good  at  time  zero.  In  general, 
the  redundancy  models  will  yield  increasing 


failure  rate  (IFR)  functions  for  similar  ele- 
ments. See  also  Chapters  8 and  9. 

10-2  NONDECISION  REDUNDANCY 

10-2.1  MOORE-SHANNON  REDUNDANCY 

Moore  and  Shannon  (Refs.  2 and  3)  pro- 
posed connecting  the  contacts  of  relays,  with 
their  coils  connected  in  parallel,  in  physical 
series-parallel  circuits  in  such  a manner  that 
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the  resulting  circuit  acts  exactly  like  a single 
relay. 

An  idealized  switch  is  defined  as  a 4-ter- 
minal  element  where  complete  isolation  exists 
between  the  control  signal  and  switching  path 
and  which  presents  to  the  logic  signal  an  in- 
finite impedance  ratio  between  desired  and 
undesired  transmission  states.  The  analysis  is 
not  generally  applicable,  however,  to  2-  and 
3-terminal  devices  such  as  transistors  and 
tunnel  diodes.  Furthermore,  the  Moore- 
Shannon  theory  assumes  only  catastrophic 
failures;  hence,  drift  failures  and  aging  effects 
are  excluded.  Time  is  not  considered  at  all. 

Three  assumptions  are  made  in  developing 
the  mathematical  model. 

1.  The  failure  of  any  element  is  s-inde- 
pendent  of  the  failure  of  any  other  element. 

2.  Only  intermittent,  complete  failures 
are  considered. 

3.  The  probability  of  failure  of  an 
element  is  defined  for  each  operation  and  is 
the  same  for  every  element;  time  never 
appears  explicitly. 

Fig.  10-2  illustrates  three  elementary,  re- 
dundant, relay'con't;aci:  networks  considered 
by  Moore  and  Shannon.  If  p is  the  probability 
that  a single  contact  will  operate  properly, 
then  the  probability  that  two  contacts  will 
operate  properly  is  p2 . The  probability  that 
neither  contact  operates  properly  is  1 — p2 . 
Consequently,  if  two  relay-contacts,  physi- 
cally in  series,  are  used  to  connect  a path,  and 
both  are  operated  simultaneously,  the  redun- 
dancy improves  the  reliability  for  opening  the 
path,  but  reduces  the  reliability  for  closing 
the  path.  If  four  relay-contacts  are  connected 
in  a physical  series-parallel  arrangement,  as 
shown  in  Fig.  10-2(A),  the  probability  of 
opening  the  path  is  (1  — p2)2,  and  the  prob- 
ability of  closing  the  path  is 

R = 1 - (1  - p2)2  = 2P2  -P4  (10-1) 

The  network  illustrated  in  Fig.  10-2(B)  is 
the  dual  of  the  one  shown  in  Fig.  10-2(A);  the 
probability  of  closing  the  path  is 

R = [1  - (1- p)2  ] 2 = 4p2  - 4 P3  + P4 

(10-2) 


x. 


*’i — I 

xs 


Xj 

x* 


(A)  (B) 


FI GURE  1 0-2.  Relay  Networks  Illustrating  Moore- 
Shannon  Redundancy' 


The  network  illustrated  in  Fig.  10-2(C)  is 
slightly  more  complex  because  of  the  addi- 
tional contact  Xb  ; the  probability  of  closing 
the  path  is 

R = 2p2  + 2 p2  - 5p4  + 2 p5  (10-3) 

These  results  may  be  generalized  to  in- 
clude any  complex  redundant  network 
between  two  points.  If  m contacts  are  used  in 
a switching  array  between  two  points  and  if  n 
of  them  constitute  a subset  of  closed  con- 
tacts, the  probability  of  closing  the  path  is 

m 

R=J2  AnPn(1  ~ P)"”"  (104) 

n = 0 

where  An  is  the  number  of  combinations  of 
the  subsets  which  correspond  to  a closed 
path.  Similarly,  the  probability  of  opening  the 
path  is 

m 

l-R=£  Bn  (1—  p)npm  ~n  (10-5) 

n * 0 

where  Bn  is  the  number  of  subsets  of  n con- 
tacts such  that  if  all  contacts  in  a subset  are 
open  and  all  others  closed,  the  path  is  open. 

By  using  this  approach,  arbitrarily  reliable 
relay  networks  can  be  built  front  arbitrarily 
poor  (low  reliability)  relays,  provided  enough 
of  the  poor  ones  are  used. 

Time  can  be  introduced  explicitly  if  the 
following  are  assumed: 

1.  The  failure  of  any  element  is  s-inde- 
pendent  of  the  failure  of  any  other  element. 

2.  All  failures  are  permanent;  i.e.,  when 
an  element  fails,  it  remains  in  the  failed  condi- 
tion. 


10-3 


AMCP  706-197 


3.  The  reliability  of  the  elements  is 
known  (as  a functionof  time)  and  is 
the  same  for  every  element.  Two  failure  dis- 
tributions are  defined: 

Qa  (t)  - probability  that  a contact  will  fail  to 
close  during  the  interval  0 to  t. 

Pb  (t)  - probability  that  a contact  will  fail  to 
open  during  the  interval  0 to  t. 

It  follows  that: 

1.  The  probability  that  a contact  will  be 
closed  whenever  it  should  be  closed  during 
the  interval  0 to  t is 

pa(t)=l  _*.(*)  (10-6) 

This  is  the  reliability  of  being  closed,  defined 
for  this  interval. 

2.  The  probability  that  a contact  valL  be 
open  whenever  it  should  be  open  during  the 
interval  0 to  t is 

<?(,(*)  = 1 — Pb  (t)  (10-7) 

This  is  the  reliability  of  being  open,  defined 
for  this  interval. 

The  total  probability  of  failure  of  the  cir- 
cuit in  the  interval  0 to  t is  the  sum  of  the 
disjoint  probabilities  of  failure  to  close  and 
failure  to  open.  The  probability  that  the  cir- 
cuit viH  fail  to  close  at  some  time  during  the 
interval  0 to  t is 

Pr(5}  « £ Bn( i-  Parpa *-» 

n » 0 

4 (10-8) 

= E Bn<ia(  1-  Qa)4'n 

n * 0 


where 

C = event  of  closure  (C  = event  of  not- 
closure). 

Since 

B0  = 0,B2  = 2,  B3  = 4,  jB4  = 1, 

Pr{C}=  2*2(1-  O 2 + 4*2(1-  *J  + q* 
* 2(i2a  ~ <?a-  (10-9) 

The  probability  of  the  circuit  failing  to  open 
at  some  time  during  the  interval  0 to  t is 

Pi0)m  E Anpnba- pb)4-n 

11=0 

= 4pg(l-  pb)2  + 4pg(l-  pb)  + p\ 

= 4p2  - 4p3  + p4  (10-10) 

where 

0 = event  of  opening  (0  = event  of  not- 
opening). 

Then,  the  total  probability  of  circuit  failure  in 
the  interval  0 to  t is 

Pr{F } = Pr{0uC}  = Pr{0 } + Pr{C} 

= 2*2  - q*a  + 4 p%  - 4 pi  + p% 

(10-11) 

where  « 

F = OUC  . 


FIGURE  10-3.  s-Reliability  Functions  for  Redundant  Refay  Networks' 
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The  reliability  functions  for  the  circuits  in 
Fig.  10-2  are  given  in  Fig.  10-3.  The  figure 
describes  the  reliability  of  the  circuits  as  a 
function  of  the  reliability  of  the  individual 
relay. 

For  the  network  illustrated  in  Eig. 
10-2(A),  the  reliability  function  (Fig. 
10-3(A))  lies  above  the  diagonal  R = p for 
values  of  p greater  than  0.618.  Therefore,  the 
redundant  circuit  represents  an  improvement 
over  a single  contact  if  the  reliability  of  each 
contact  closing  is  better  than  0.618. 

For  the  second  network  (Fig.  10-2(B)),  R 
crosses  the  diagonal  at  0.382,  as  shown  in  Fig. 
10-3(B).  The  bridge  network  illustrated  in 
Fig.  10-2(C)  has  a symmetrical  probability 
curve  which  crosses  the  diagonal  at  0.5  (Fig. 
10-3(C)). 

As  shown  in  the  discussion  of  reliability 
gain,  the  reliability  of  a Moore-Shannon  type 
circuit  can  be  degraded  below  some  specified 
value,  depending  on  the  topography  of  the 
circuit.  The  use  of  these  circuits  in  situations 
where  the  performance  characteristics  of  the 
parts  must  be  considered  also  may  degrade 
the  reliability  of  the  redundant  structure  as 
compared  with  the  single  part. 


(B> 


Bn 

Sl2  ! 

Bin 



1 

B21 

B22 

1 

Bjrt 

Path  1 


Path  2 


Path  m 


Unit  1 Unit  2 Unitn 

Pij  — 1 • Qij 


FIGURE  10'S.  Reliability  Block  Diagram  for  a Single 
Mode  Series-parallel  Redundant  Structure1 


10-2.2  SINGLE  MODE  SERIES-PARALLEL 
REDUNDANCY 

The  single  mode  series-parallel  structure  is 
a group  of  n units  in  series;  there  are  m par- 
allel elements  in  each  unit  in  which  ody  one 
mode  of  failure  can  occur  (Ref.  1). 

In  the  circuits  of  Fig.  10-4 ,Ai}  elements 
are  subject  only  to  open-type  failures  while 
B;j  elements  axe  subject  only  to  short-type 
failures.  Both  of  these  circuits  have  the  reli- 
ability block  diagram  shown  in  Fig.  10-5. 
Each  of  the  elements  is  s-independent  of  each 
other,  with  failure  probability  qtj  for  the  ele- 
ment i in  the  unitj,  so  that 

n 

R=Y  (1  - qifq2J  (10-12) 

!•  1 

10-2.3  SINGLE  MODE  BINOMIAL  REDUN- 
DANCY (k-out-of-n) 

The  reliability  of  a fe-out-of-n:G  system  is, 
from  Eq.  8-la, 

(Dp'U- p)"’1  U0-13) 

k 

where 

p = reliability  of  a single  unit  (see  par. 
8-2). 

10-2.4  Bl  MODAL  SERIES-PARALLEL 
REDUNDANCY 


FIGURE  10-4.  Single  Mode  Series-parallel  Redun- 
dant Structures’ 


A bimodal  series-parallel  redundant 
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FIGURE  10-6.  Schematic  Diagram  of  a Diode  and 
Transistor  Quad  Bridge  Network  Illustrating 
Bimodal  Series-parallel  Redundancy 


structure  is  one  in  which  elements  are  con- 
nected in  a series-parallel  configuration,  and 
which  is  susceptible  to  two  modes  of  failure, 
such  as  opens  and  shorts  (Ref.  l).The  reliabil- 
ities are  all  conditional  on  the  set  of  events 
which  are  required  for  the  elements  to  be  con- 
ditionally s-independent.  For  example,  if  four 
transistors  are  on  the  same  chip,  they  vUl  not 
be  s-independent  for  many  failure  modes. 
Included  in  this  form  are  what  are  commonly 
known  as  Quad  configurations.  A typical  cir- 
cuit is  shown  in  Fig.  10-6  and  the  reliability 
block  diagram  in  Fig.  10-7.  The  elements  are 
s-independent  of  each  other.  They  can  fail 
either  open  or  short. 

The  conditional  reliability  of  the  transis- 
tor Quad,  where  a is  the  probability  of  non- 
failure of  a transistor  and  p is  the  proportion 
of  transistor  failures  due  to  opens,  is  (Ref.  4) 

R - a4  + 4a3(l  — a)  + 4a2(l—  a)2 
I II 

(1  +p(l  - 2p)]  + 8a(  1 - a)3p(i  - p) 2 

HI  IV  (10-14) 

where 

I  = probability  that  ail  four  transistors  sur- 
vive t hours  of  operation  without  fail- 
ure. 

II  = probability  that  three  of  the  four  tran- 
sistors survive  t hours  of  operation 
without  failure  while  the  other  transis- 
tor fails. 


Ill  = probability  that  two  of  the  four  transis- 
tors survive  while  the  other  two  transis- 
tors fail  prior  to  time  t in  a favorable 
manner;  i.e.,  failure  of  the  two  tran- 
sistors does  not  cause  configuration 
failure.  This  probability  represents  the 
sum  of: 

1.  4a2(l  — a)2  (1  — p)2 , the  prob- 
ability that  two  transistors  short 
prior  to  time  t (however,  both 
failures  are  not  in  the  same  leg  of 
the  Quad);  and 

2.  12a2p(  1 — p ) ( 1 — a)2 , the  prob- 
ability that  two  transistors  fail 
prior  to  time  t where  one  is  a 
short  and  the  other  an  open. 


FIGURE  10-7.  Reliability  Block  Diagram  of  a 
Diode  and  Transistor  Quad  Bridge  Network 1 

IV  = probability  that  three  transistors  fail 
prior  to  time  t:  two  of  the  transistors 
short  and  the  other  opens  (however, 
the  two  shorts  are  not  in  the  same  leg 
of  the  Quad). 

In  general,  for  a network  of  identical  ele- 
ments in  m paths,  where  success  is  neither  an 
open  nor  short  network, 

R = [l~qna]m  ~ [1  ~ (1  - 

(10-15) 

where 

q3  = probability  of  failing  short,  for  an  ele- 
ment 

qQ  = probability  of  failing  open,  for  an  ele- 
ment. 

The  reliability  equation  for  the  bridge  net- 
work is  a function  of  whether  or  not  the  ele- 
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ments  are  polarized.  Polarized  elements  allow 
current  to  flow  in  one  direction  only. 

For  identical  nonpolarized  elements 
which  allow  current  to  flow  in  either  direc- 
tion (Ref.  2) 

R = (1—  qa  ~ - 2g2  + (1  - q2)2  ] 

+ qa  {(i  - qs)  - [i  - (i  - O2  ]2  > 

+ qs{(i-qa)2  - [i  - (i  - gs)2 ] 2 } - (io-i6> 

For  identical  polarized  elements  which  allow 
current  to  flow  in  one  direction  only, 

R = (l-q0-qs)[2^-3g2+  (1 -<,»)*] 

+ q0ia-Qs)2  - [i  - (i  - <?0)2]2  } 

+ qs{(l-q0)2-  [1-  (1  - qs)2V }■ 

(10-17) 

Although  conditional  reliability  increases 
as  a result  of  using  a Quad,  several  important 
design  factors  must  be  considered,  namely: 

1.  Using  transistors  in  a Quad  configura- 
tion subjects  them  to  more  vigorous  and 
demanding  parameter  requirements. 

2.  The  redundant  configuration  can  drive 
but  one  fourth  the  load  of  the  nonredundant 
circuit. 

3.  The  Quadding  approach  is  inherently 
a slower  one,  increasing  signal  propagation 
time  by  at  least  2:1. 

4.  The  redundant  design  will  dissipate  up 
to,  and  possibly  more  than,  four  times  the 
power  of  a single  transistor,  if  maximum 
speed  is  desired. 

5.  The  Quadding  layout  usually  will 
demand  a greater  supply  voltage  and,  there- 
fore, cause  the  minimum  power  ratio  to  be 
about  2:1,  redundant  to  nonredundant. 

6.  Failure  of  any  unit  of  a Quad  can  in- 
crease semiconductor  heat  dissipation  per  unit 
up  to  four  times.  A direct  consequence  of  this 
is  requiring  the  lowering  of  ambient  operating 
temperature  to  keep  semiconductor  junction 
temperatures  below  the  danger  point. 

10-2.5  SUMMARY  TABLE 

Table  10-1  summarizes  the  important 
characteristics  of  component  redundancy  for 
different  combinations  of  short  to  open  fail- 


ure when  the  elements  are  susceptible  to 
both.  The  failure  conditions,  reliability  equa- 
tion, approximate  probability  of  failure,  and 
impedance  variation  due  to  redundancy  are 
presented. 

10-3  DEC1S1  ON-WITHOUT-SWITCHING 
REDUNDANCY 

10-3.1  MAJORITY  LOGIC  REDUNDANCY 

Majority  logic  is  a form  of  decision  redun- 
dancy for  which  the  correct  output  is  as- 
sumed to  be  the  one  found  in  a majority  of 
the  channels.  The  concept  of  majority  logic 
was  first  proposed  by  von  Neumann  and  has 
since  been  enlarged  upon  by  many  authors. 
Von  Neumann’s  original  concept  required 
extremely  high  redundancy  to  achieve  high 
reliabilities,  but  later  techniques  give  high  reli- 
ability with  a rather  low  degree  of  redun- 
dancy. Typical  structures  are  shown  in  Figs. 
10-8  and  10-9. 

The  probability  of  success  for  the  major- 
ity group  is,  from  Eq.  8-17, 

2n  + 1 

n = n E (3"+l^V"  + l-'(10-18) 

Pn  Pv  i- n 

where 

p - probability  that  a circuit  is  oper- 
ating properly 

q = (1  — p ) - probability  that  the  cir- 
cuit has  failed 

P"  = probability  of  success  of  Majority 
Vote  Taker  MVT 
2n  + 1 = number  of  units. 


Computing  6 locks 
Majority  Logic.  Equal  Weights 

MVT  = Majority  Vote  Taker 


FIGURE  10-8.  Basic  Majority  Vote  Redundant 
Circuit ‘ 
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TABLE  10-1.  COMPONENT  REDUNDANCY' 


Component 

Configuration 


Failure 

Conditions 


H z u 


H z H 


Short  or  open 


Single  open  or  two 
-stods“  Used  where 
« 0.5 


Single  short  or  two 
opens.  Used  where  pQ 
» 0.5 


H Z H 


M Z U 


m m 

rSi 


H z u 


Single  short  or  two 
opens.  Used  where  p0 
» 0.5 


[-  z 

z 

HIM 

! ZH 

Single  short  or  three 
wens.  Used  where  p0 
» 0.5 


H z 


z h 


Two  shorts  i n same  leg 
or  one  open  in  each  leg. 
Used  where  p0  < 0.5 


Three  opens  or  opens  in 
both  elements  con- 
nected to  either  input 
or  output  nodes.  Two 
shorts  in  same  leg  or 
shorts  at  alternate  ends 
of  two  legs.  Used  where 
Pa  > 0.5 


Reliability 

3f>Jpf 


| Maximum 
Approximate  i Impedance 


R2+2  RP. 


R2+2RP_ 


R4+4R 


Probability 
of  Failure 
Pf«  1 


P.+P'* 

s o 


sP„ 


2 P. 


&0 * + 4P, 


R4+4R3Pq  +6R2Pq  4PJ  + 4P 


R4  + 4R3P0  + 4R3Ps  4 P 2 + 2 p2 
+ 12R2P0Pt  + 2R2P0  r 3 

+ 4R2ps2  + 4fipo2ps 
+ 8 RP,2PQ 


R4  + 4R2pa  4-  4p3pg 
+ 4R2p0  + 2R2p2 
+ 12R2paPt  + 8RPa2pi 
4RP,2P0 


Varietion 
Due  to 

Redundancy  | 
0% 

-50% 


+ 100% 


+ 331/3% 


+ 100% 


+ 100% 


4P,2  + 2Pa2  +100% 


•PoW  is  the  conditional  probability  of  the  component  opening  (shorting)  given  that  the  component  fails. 
+ Pa  + P,  = 1 for  single  element. 
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FIGURE  10-9.  Majority  Vote  Redundant  Circuit 
With  Multiple  Majority  Vote  Taker' 


(10-19) 


The  lower  degrees  of  redundancy  give  the 
approximate  failure  probabilities  listed  in 
Table  10-2.  . 

TABLE  10-2 

APPROXIMATE  FAILURE  PROBABILITIES  FOR 
MAJORITY  LOGIC  REDUNDANCY' 


where  the  notation  is  shown  on  Fig.  10-10. 

Assuming  that  all  the  failure  probabilities  are 
reasonably  small,  this  becomes 


i +(2„V11)  (<7/™>"  + 1 

+ (m  - 1)  (2"+i)  (<?„  Fq!m)n*1 


2 n + 1 
(Degree  of 

Approximate  Failure 

3 

qv  4-  3 q2  - 2q3 

5 

qv  4-  10a3  — 15a4  4-  6a5 

7 

4-  35a4  - 84a5  4-  ••• 

9 

qu  4-  126a5  -420a6  + ”* 

9,  = failure  probability  of  MVT 
q = failure  probability  of  logic  element 


where  q is  the  Probability  of  failure  for  the 
nonredundant  system. 

For  threefold  majority  logic  (n-  1),  the 
probability  is 

1 “ R **  qfv  +3 (q/m)2  + 3(m  - 1 )(qv  +q)m)2 

(10-21) 

The  MVT  is  considered  ideal  if  < 1 

where  \v  is  the  failure  rate  of  the  MVT  and  t 
is  the  mission  time.  If  the  MVT  is  ideal,  rather 
than  infallible,  and  if  the  number  of  MVT  fail- 
ures in  a given  length  of  time  obeys  the 
Poisson  distribution,  then 

pu(t)=e'x"t  (10-22) 


Using  higher  degrees  of  redundancy  will 
not  substantially  improve  overall  reliability, 
since  the  majority  vote  taker  (MVT)  reliabil- 
ity soon  becomes  the  limiting  factor.  Even  for 
threefold  redundancy  (2n+  1 = 3 ),  qv  is  the 
major  cause  of  failure  if  q is  reasonably  small. 

When  majority  logic  is  applied  to  each 
block,  and  every  MVT  is  triplicated  except 
the  last  one,  the  resultant  failure  probability 
for  the  general  case,  using  a (2 n + 1)— fold 
majority  logic  and  m blocks,  is  as  follows: 


where  pv  is  the  probability  that  a vote  taker  is 
working  properly. 

It  is  assumed  that  the  output  of  a nonfunc- 
tioning vote  taker  is  the  complement  of  the 
correct  output. 

If  the  failure  rate  of  the  MVT’s  is  too 
large  to  be  neglected,  redundant  MVT’s  can 
be  used.  In  this  case,  the  failure  rate  of  an 
individual  circuit  can  be  considered  to  include 
the  circuit  and  the  vote  taker  feeding  that 
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circuit.  The  overall  system  then  becomes  binary  inputs  and  outputs.  It  can  be  applied 

equivalent  to  a system  using  nonredundant  in  situations  that  call  for  either  intermittent 

ideal  MVT's.  If  the  probability  of  survival  for  or  continuous  operation  in  time.  Some  con- 

an  individual  circuit  is  elusions  which  can  be  drawn  fzan  all  this  are: 


= (f> 1 * \ = p~^o  + *<>) 1 > 


P=PvPo  = (e  w )(e  ° ) = e 


(10-23) 


- £ (SV‘) 

i-  o 


(10-24) 


which  is  equivalent  to  the  probability  of  suc- 
cess form  majority  groups. 

It  can  be  shown  that  the  maximum  reli- 
ability is  achieved  with  nonideal  vote  takers  if 
(Ref.  5) 

^0A„  = l/(2n  + l)  (10-25) 


where 


^ = failure  rate  of  the  circuit 

\v  = failure  rate  of  the  vote  taker 


(2 n + 1)=  number  of  identical  circuits. 

(10-26) 

It  is  usually  necessary  to  carry  system  out- 
put on  a single  line,  in  which  case  the  redun- 
dancy scheme  proposed  by  Moore  and  Shan- 
non could  be  used  to  improve  the  reliability 
of  system  output,  thus  eliminating  the  final 
vote  taker  from  the  analytic  expression.  This 
form  of  redundancy  is  usually  associated  with 


1.  Assuming  ideal  vote  takers,  a digital 
system  will  be  most  reliable  if  majority  logic 
is  applied  at  as  low  a level  as  possible,  i.e., 
when  the  system  is  divided  into  as  many  digi- 
tal subsystems,  each  followed  by  a majority 
vote  taker,  as  possible. 

2.  On  the  other  hand,  it  is  clear  that  the 

MTF  for  the  system  will  always  be  less  than 
the  MTF  for  the  individual  circuit.  In  the 
limit  as  the  system  MTF  can  be  0.69 

times  the  MTF  for  the  individual  circuit. 

3.  The  use  of  redundancy  and  majority 
logic  gives  the  greatest  improvement  in  reli- 
ability in  the  case  of  large  systems,  i.e.,  in 
systems  for  which  it  is  possible  to  achieve 
large  values  of  m. 

4.  The  full  reliability  improvement  can 
be.  realized  only  if  all  circuits  are  working 
properly  at  time  t = 0.  This  causes  a checkout 
and  repair  problem. 

5.  Unless  the  nonredundant  fault  prob- 
ability q is  arall,  v^ry  high  degrees  of  redun- 
dancy are  required  to  reduce  system  failure 
probability.  For  q > 0.5,  any  degree  of  major- 
ity logic  redundancy  will  actually  degrade  reli- 
ability, although  q > 0.5  is  not  very  realistic 
for  anything  but  deep-space  probes. 

6.  If  nonredundant  MVT's  of  limited 
reliability  are  used  anywhere  in  a redundant 


MVT's  MVT's 


MVT  = Majority  Vote  Taker 
Failure  probability  is  shown  for  each  element. 

FIGURE  10-10.  Reliability  Block  Diagram  for  Circuit  With  Threefold  Majority  Logic 1 
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system,  they  vUl  constitute  for  some  period 
of  time  the  most  likely  source  of  system  fail-' 
ure. 

10-3.2  MULTIPLE  LINE  REDUNDANCY 

Multiple  line  redundancy  has  been  studied 
extensively  by  Westinghouse  and  is  one  of  the 
most  efficient  types  of  circuit  redundancy 
(Refs.  6 and  7).  It  is  applied  by  replacing  the 
single  circuit,  of  a nonredundant  network  by 
nonidentical  circuits  operating  in  parallel, 
where  m is  called  the  order  of  the  redun- 
dancy. 

The  reliability  improvement  achieved  by 
these  redundant  circuits  depends  on  the  abil- 
ity of  the  network  to  experience  circuit  fail- 
ures without  degradation  of  the  network 
operation.  The  use  of  restorers  within  the  net- 
work provides  this  characteristic.  The  restorer 
consists  of  m restoring  circuits  which,  when 
operating  correctly,  can  derive  the  correct 
output  from  k of  m correct  inputs.  A typical 
circuit  is  shown  in  Fig.  10-11. 

A reliability  model  can  be  developed 
based  on  the  following  assumptions: 

1.  The  circuits  in  the  network  are  s-inde- 
pendent. 

2.  Only  an  approximation  to  the  exact 
reliability  will  be  given,  and  it  is  based  on 
t-il  liques  described  in  Refs.  3 and  it.  The 
approximation  is  good  if  the  reliabtdtie  > of 
the  circuits  in  the  network  are  close  enough 
to  one. 

3.  The  approximation  is  based  on  the 
concepts  of  minimal  cuts,  discussed  previous- 
ly, and  coherent  systems.  A system  is  coher- 
ent if  it  meets  the  following  four  conditions: 

a.  If  a group  of  circuits  in  the  system 
is  failed,  causing  the  system  to  fail,  the  occur- 
rence of  any  additional  failure  or  failures  will 
not  return  the  system  to  a successful  condi- 
tion. 

b.  If  a group  of  circuits  in  the  system 
is  successful  and  the  system  is  successful,  the 
system  will  not  fail  if  some  of  the  failed 
components  are  returned  to  the  successful 
condition. 

c.  When  all  the  circuits  in  the  system 
are  successful,  the  system  is  successful. 


FIGURE  10-11.  Order-three  Multiple  Line 
Redundant  Network1 


d.  When  all  the  circuits  in  the  system 
fail,  the  system  fails.  The  system  shown  in 
Fig.  10-12  is  an  example  of  a coherent 
system. 

The  lower  bound  to  system  reliability  is 
the  probability  that  none  of  the  system  mini- 
mal cuts  fail;  for  the  sample  in  Fig.  10-12,  it  is 

R,  » (l  - Q1Q2)d  - QMd  - Q2QM 

(10-27) 

where 

R, j = system  reliability 

Qt  = the  probability  of  failure  for  circuit  /. 

This  equation  is  approximate  because  the  fail- 
ures of  ndnanal  cuts  are  assumed  to  be  s-inde- 
pendent  which  is  generally  not  true,  since  one 
component  may  appear  in  several  minimal 
cuts. 

If  minimal  cut  j is  denoted  by  set  Sj  then 
IT  Q,  is  the  probability  of  failure  for  minimal 

i £ Sj 


FIGURE  10-12.  A Coherent  System' 
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cut  j.  The  lower  bound  of  the  system  reli- 
ability is 

Rs  = n {1  - IT  Q.}  . (10-28) 

;»i  /es;- 

where 

c = number  of  minimal  cut  sets 
G = “is  a member  of’. 

Thus,  the  determination  of  the  lower  bound 
on  reliability  requires  that  the  minimal  cuts  of 
the  network  be  identified.  In  a multiple  line 
network  with  restorers,  a cut  is  any  group  of 
circuits  whose  failure  causes  the  outputs  of  at 
least  one  restored  function  to  have  (m—k  + 
l)or  more  failed  liras.  This  would  constitute 
a network  failure. 

The  minimal  cuts  of  a multiple  line  redun- 
dant network  have  three  characteristics  that 
are  sufficient  to  establish  their  identity: 

1.  Ail  the  members  of  the  minimal  cut 
are  circuits  in  a restored  function  or  restorers 
that  are  the  input  sources  of  that  restored 
function. 

2.  The  failure  of  each  member  of  the 
minimal  cut  will  cau:s  one  output  line  of  the 
restored  function  to  be  in  error,  and  each 
member  will  be  in  a different  position. 

3.  The  failure  of  a minimal  cut  will  cause 
exactly  (m—  k + 1)- output  lines  of  the  re- 
stored function  to  be  in  error;  hence,  a inirn.- 
mal  cut  will  have  (m~k  + l)-members. 

If  all  the  sets  of  circuits  that  fulfill  these 
characteristics  are  listed  for  each  of  the  re- 
stored functions  in  the  network,  all  of  the 
minimal  cuts  of  the  network  and  the  lower 
bound  for  the  network  reliability  can  be 
found. 

The  improvement  in  system  reliability  is 
comparable  to  the  improvement  in  the  reli- 
ability of  a circuit  when  a particular  element 
is  made  redundant.  The  improvement  will  not 
be  of  the  same  magnitude,  because  of  the 
addition  of  restorers  in  the  multiple  line  net- 
work. 

Multiple  line  redundancy  results  in  im- 
proved reliability  of  the  system  unless  the 
individual  circuit  reliabilities  are  very  low. 
Low  circuit  reliabilities  cause  the  restorers  to 
choose  the  wrong  value  if  k of  the  m circuits 
have  failed. 


The  lower  limit  approximation  given  for 
the  multiple  line  network  is  not  good  if  the 
circuit  reliabilities  are  not  close  enough  to 
one.  If  the  order  of  the  redundancy  exceeds 
three,  the  determination  of  the  input  sources 
becomes  quite  difficult.  Boolean  techniques 
can  be  used  for  determining  the  input  sources 
of  a function. 

10-3.3  GATE-CONNECTOR  REDUN- 
DANCY 

Gate-connector,  or  gate-connected,  redun- 
dancy is  a combination  of  several  binary  cir- 
cuits connected  in  parallel  along  with  a circuit 
of  switch-like  gates  which  serves  as  the  con- 
necting majority  organ  (Refs,  land  10).  The 
gates  contain  no  components  whose  failure 
would  cause  the  redundant  circuit  to  fall,  and 
any  component  failures  in  the  gate  connector 
act  as  though  the  binary  circuits  were  at  fault. 

Gate-connector  redundancy  applied  to 
four  units  in  parallel  and  a 4-element  network 
for  the  gate  connector  is  shown  in  Fig.  10-13. 


FIGURE  JO- 13.  Circuit  Illustrating  Gate-connector 
Redundancy1 

For  this  circuit,  the  following  assumptions 
and  nomenclature  are  used. 

1.  f = probability  of  failure  for  each 
binary  unit 

2.  g = probability  of  failure  for  each  gate 

3.  Failures  are  s-independent 

4.  If  the  circuit  is  closed  when  it  should 
be  open,  it  is  a Type  I failure 

5.  If  the  circuit  is  open  when  it  should 
be  closed,  it  is  a Type  II  failure. 
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The  output  with  Type  I failures  should  be 
zero,  but  may  be,  mistakenly,  one.  The  out- 
put cf  G,  will  be  one  if  unit  1 fails,  G,  fails, 
or  both  fail.  The  Probability  of  this  event 
taking  place  is 

Fia  = -9,)  (10-29) 

where  the  subscript  1 designates  Type  I fail- 
ures. When  a one  is  received  from  G,,  a one 
will  be  transmitted  to  the  output  if  unit  2 
fails,  G,  fails,  or  both  fail.  Therefore,  the 
probability  of  getting  a one  in  the  left  channel 
is 


Flb  = 1 - (1  - /\  )(1  - gl  )2  . (10-30) 


Control 


Gate  failures  are  assumed 
to  include  shorts  between 
control  and  output. 


FIGURE  10-14.  Gate  Unit' 


Now  we  must  investigate  what  happens 
when  a zero  is  at  the  output  of  G,  and  both 
unit  2 and  G2  fail.  Whether  a failure  occurs  or 
not  depends  on  how  the  gate  circuit  fails.  Fig. 
10-14  shows  a gate  unit  with  leads  labeled 
control,  input,  and  output.  In  the  gate-con- 
nector circuit,  the  control  is  connected  to  the 
output  of  the  binary  unit,  and  the  input  and 
output  connections  are  used  in  the  connector 
circuit.  The  gate  input  is  connected  electri- 
cally to  the  output  only  if  a one  is  present  on 
the  control.  Now,  if  it  is  assumed  that  only  a 
one  can  be  obtained  from  the  output  whena 
one  is  present  in  the  input,  the  circuit  will  not 
fail  when  G2  has  a zero  on  the  input  and  unit 
2 and  G2  fail.  However,  if  it  is  assumed  that 
the  gate  unit  fails  in  a shorted  condition  in 
such  a way  that  a one  is  obtained  at  the  out- 
put when  a zero  is  on  the  input  and  a one  is 


on  the  control  element,  the  circuit  will  fail  if 
unit  2 and  G,  fail.  This  latter  case  will  be 
assumed  and,  when  this  is  taken  into  account, 
the  probability  of  failure  for  one  channel 
becomes 


Fic=  [1-  (1- A 1(1-^)] 2 
+ (1  ~fi  )(1  ' 


(10-31) 


and  the  probability  of  failure  of  the  circuit  of 
Fig.  10-13  due  to  Type  I failures  is 

Fi  =1-  {1-  [l-d-^Kl-^)]2 

- (1- f^a-g^g,}2  , (10-32) 

The  failure  probability  for  Type  II  failures 
will  be  simpler.  When  the  output  should  be 
one  and  the  failures  make  it  zero,  the  extra 
term  does  not  appear  and  the  equation  for 
Type  II  failures  is  simply 

F2  = {1-  [(i-f2)(i-£2)]2}2  . 

(10-33) 

If  it  is  assumed  that  fx  = f2  and  = g2 , it 
cannot  be  shown  that  one  of  the  expressions 
is  greater  than  the  other  for  all  values  of  f and 
g\  but  in  the  region  of  values  of  fand<g  where 
reliability  improvement  is  obtained,  F2  >F,. 
Let  F be  the  upper  bound  of  failure  prob- 
ability for  the  redundant  circuit,  and  let  f and 
g be  the  greater  of  the  Type  I or  Type  II 
failure  probabilities.  Then,  in  the  region 
where  reliability  improvement  is  obtained, 

F = {1  -[(1  -f){l-g)Y)2  . 

(10-34) 

If  a nonredundant  system  with  reliability 
R0  is  divided  into  M s-independent  parts  of 
equal  reliability,  part  M of  the  system  would 
have  a reliability  equal  to  the  Mth  root  of 
R, . The  reliability  of  part  M of  the  nonre- 
dundant portion  of  the  system  corresponds  to 
(1—  f)  in  the  equations.  Thus, 

i_ 

R0M  =(l-  p).  (10-35) 

The  reliability  of  the  redundant  system  is  the 
reliability  of  one  redundant  unit  raised  to  the 
power  M.  This  gives  the  following  equation 
for  reliability: 

2_ 

PR={  1-  [1-  (1  -g)2  Rf]  2}m 

(10-36) 
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There  is  an  optimum  value  of  M . In  the 
region  of  g and  R0  , where  reliability  improve- 
ment is  obtained,  the  maximum  value  of  M 
should  be  used.  In  practice,  it  is  difficult  to 
use  single  active  element  circuits  as  s-inde- 
pendent  circuits.  A reasonable  s-independent 
block  in  a system  would  consist  of  two  active 
elements.  Such  circuits  would  include  flip- 
flops,  clock  generators,  two-way  logic  circuits, 
and  so  forth. 

If  a machine  consists  of  K active  element 
circuits,  M = K/2.  A gate  is  assumed  to  be 
equivalent  to  one  active  element  circuit.  When 
this  is  substituted  into  the  preceding  equa- 
tion, the  result  is 


Since  the  gate-connector  redundancy  can 
be  applied  at  a low  component  organization 
level,  it  is  suitable  for  use  in  conjunction  with 
the  Moore-Shannon  redundancy. 

Critical  components  that  require  better 
than  ± 50  percent  component-value  tolerances 
can  be  made  redundant  by  the  gate- connector 
redundancy  in  a machine  that  is  made  redun- 
dant by  Moore-Shannon  redundancy. 

A factor  which  should  not  be  overlooked 
when  designing  with  gate-connector  redun- 
dancy is  that  the  switch-like  gate  connector 
must  contain  no  components  whose  failure 
would  cause  the  redundant  circuit  to  fail. 


10-3.4  CODING  REDUNDANCY 

Coding  redundancy  is  a method  of  incor- 
porating passive  self-repair  in  order  to  im- 
prove reliability  (Refs,  land  11). It  is  used 
for  processing  unreliable  information  in  logi- 
cal networks  such  as  computers.  Binary  sig- 
nals that  are  to  be  used  as  inputs  can  be 
checked  using  coding  redundancy. 

Under  certain  restrictions,  the  type  of 
coding  redundancy  proposed  by  Tooley  (Ref. 
1 l)avoids  the  usual  complexity  requirements 
for  redundancy. 

A model  for  an  AND  gate  is  shown  in  Fig. 
10-15  in  two  equivalent  forms  with  noise, 
denoted  by  P(0i  1 ) andR(110),  added.  The 
restrictions  assumed  in  the  model  by  Tooley 
are: 

1.  The  errors  for  each  of  the  logical 
devices  must  be  s-independent. 

2.  The  logical  function  of  a device  can- 
not be  changed  by  some  condition  in  one  of 
its  inputs. 

The  method  for  increasing  the  reliability 
of  combinational  logic  networks  can  be  sum- 
marized as  follows.  A given  network  designed 
to  compute  a function  F{xm  ) is  replaced  by 
one  that  is  designed  to  compute  a new  func- 
tion H(x2).  H(xe)  is  defined  as  that  function 
which  is  equivalent  to  successive  applications 
of  a decoding  function  d(x8),  a desired  com- 


FIGURE  10-15.  Two  Models  for  a Noise  AND  Gate’ 
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putation  F(xm  ),  and  an  encoding  function  e than  errors,  then  P,  the  probability  of  a 
such  that  system  error,  can  be  calculated  as 


tf(x2)  = <?{F[d(x2)]  } (10-38) 

where 

H(x 2 ) = (x* ),  H2  (x2 ),  ...  , Hn  (x2 ) } 

<?{F[d(x2)]  } = [e,  (F[d(x2)]  }, 

e2(F[d(x*)]},...,en  (F[d(x2)]}] 

gi{F[d(x2)]}  =e/{F1[d(x2)], 

F2[d(x2)],  ...  ,Fm[d(x2)_]  } 

F,(d(x2)]  = F1(d1(x2),  d2(x2),  ...  , dm  (x2)] 
d;(x2)  = d;(x2,  x%,  ...  , x|)  . (10-39) 

Here,  d(x2)  is  the  decoding  function  corre- 
sponding to  some  error-correcting  code  that  is 
assumed  to  have  been  used  on  the  output  of 
the  preceding  network,  and  e is  the  encoding 
function  corresponding  to  some  code  which, 
of  course,  also  must  be  accommodated  on  the 
input  of  the  following  network.  The  net  result 
is  to  replace  one  network  by  another  where 
the  two  networks  are  related  through  two 
error-correcting  codes,  such  that,  in  the 
absence  of  errcu,  a given  input  and  output 
state  of  the  second  is  the  encoded  form  of  the 
corresponding  input  and  output  states  of  the 
first. 

The  performance  of  devices  using  coding 
redundancy  can  improve  the  correctness  of 
output  signals  and  also  the  engineering  con- 
fidence of  the  individuals  using  the  equip- 
ment. If  the  decoding  function  becomes 
complex,  the  usefulness  of  coding  redundancy 
is  minimized,  and  this  appears  to  be  the  major 
drawback  of  coding  redundancy. 

To  estimate  reliability  improvement,  con- 
sider first  a system  model  that  will  be  used  to 
estimate  a system  error  probability.  In  this 
model,  a system  consists  of  N combinatorial 
networks  arranged  in  an  arbitrary  order  (any 
combination  of  series  and  parallel).  Network  j 
has  n.  outputs  being  generated  by  devices 
having  a fan-in  of  2;.,  each  of  which  has  an 
error  probability  of  p(2;).  Let  be  defined  as 
the  probability  that  more  than  t{  of  the  n} 
outputs  are  in  error,  where  fy  is  the  maximum 
number  of  errors  that  can  be  corrected  by  the 
code  used  in  the  output  of  networkj.  Assume 
that  a system  error  is  obtained  if  one  or  more 
networks  generate  an  output  having  more 


N 

p = 1 - n (i-  a()  (io-40) 

where 

n ■ 

‘=‘1+  1 

* Ctj  +1) P'+1  («,) 

nip(Zj)<  1 . (10-41) 

Let  a measure  of  improvement  I,  the 
improvement  factor,  be  defined  as  the  ratio  of 
the  system  error  probability  before  and  after 
coding, 

i = Pb/Pa  (10-42) 

where 

BA  are  subscripts  referring  to  Before  and 
After  coding,  respectively. 

If,  for  simplicity,  it  is  assumed  that  the  sys- 
tem is  sufficiently  homogeneous  that  all  the 
networks  have  the  same  number  of  inputs  and 
outputs,  and  the  same  error-correction  ca- 
pacity(%=  nj,ii  = 2;,  and  f,  = t.,  for  all  i and;'), 
then 

a;  “ ctj  = cy  (10-43) 

for  all  fj  j,  and 

p = 1-  (1-  a)N  as  Na,  (10-44) 

Na  < 1 . 

Thus, 

r**aBl< aA  . (10-45) 

A detailed  explanation  of  the  practical 
problems  associated  with  this  type  of  design  is 
presented  in  Ref.  12. 

10-4  DECI SI  ON- WITH-SWITCHING  RE- 
DUNDANCY 

10^.1  STANDBY  REDUNDANCY 

A system  in  which  a component  or  unit  is 
standing  by  idly  (cold  standby)  and  operates 
only  when  the  preceding  unit  fads  is  said  to 
be  using  standby  or  sequential  redundancy 
(Refs.  1 and  13).  A standby  system  usually 
requires  failure-sensing  and/or  switching  net- 
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Input 
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Output 


FIGURE  10-16.  System  Illustrating  Standby 
Redundancy1 


works  or  devices  to  put  the  next  unit  into 
operation. 

Fig.  10-16  shows  two  elements  where^4  is 
operating  and  B is  in  standby  redundancy, 
waiting  until  A fails,  and  S is  the  sensing  and 
switching  mechanism.  The  device  operates  in 
the  foilowing  four  mutually  exclusive  ways: 

1.  S is  operating  properly.  It  monitors^ , 
and  if  A fails,  it  turns  B on,  and  the  device 
operates  until  B fails  (Case  1). 

2.  S fails  by  not  going  able  to  sense 
and/or  switch,  and  when  it  fails,  A is 
operative  and  the  device  fails  when  A fails 
(Case  2). 

3.  S fails  and  in  failing  it  switches  to  B. 
A is  still  operating  when  S fails,  but 
the  device  fails  when//  fails  (Case3). 

4.  A is  operating  and  S fails.  The  signal 
path  through  S becomes  open  or  short 
and  the  entire  device  fails  at  the  time  S fails 
(Case  4). 

The  notation  for  Eqs.  10-46  through 
10-49  follows: 

<j>a  = failure p df  for  a, a = AJ2J5 
$a  = failure  Cdf  for  a,  cv  = AJ3JS 

<f>  =1  — 4> 

9X  = probability  that  S fails  and  the  switch 
stays  on  A 

<72  = probability  that  S fails  and  the  switch 
goes  to  B 

q3  = probability  that  S fails  in  such  a way 
that  the  signal  path  is  shorted  or  open 

<?1  + ?2  + <?3  = 1 • 


F or  Case  1 : 
“ 1 


Ql(0  =I \jf  2 

(10-46) 


1 2 * 0 f j * 0 

For  Case  2: 


Q2U)  = 9 ds(t i)*x(fi)dt1  • (10-47) 


*o 


For  Case  3: 


Q. 


M-Uf  &B  (^2  )/* 

f2“°  *U1  = 0 

\(t1)<f>s(t1)dt1dt2  . 
For  Case  4: 


(10-48) 


<54(0-93  f ^>A(t1)<t>s(t1)dt1  . (10-49) 

*r=  0 

For  the  entire  device 

«(f)-Q1(f)+Q2(f)  + «8(0  + Q4(f)  • 


(10-50) 


For  the  special  case  of  the  exponential 
failure  law  where  Xs  is  the  failure  rate  of  the 
switching  mechanism,  and  X = \A  = \B  is  the 
failure  rate  of  the  two  systems  A and  B, 
standby  redundancy  is  better  than  two  sys- 
tems in  parallel  if  X > Xs . If  X = A the  two 
types  of  redundancy  are  equal;  and  if  X < Xs , 
parallel  redundancy  is  superior. 

The  gain  for  a specified  mission  can  be 
measured  in  terms  of  the  ratio  of  the  reliabil- 
ity of  the  structure  with  standby  redundancy 
to  the  reliability  of  alternate  structures. 

10-4.2  OPERATING  REDUNDANCY 

In  operating  redundancy,  s-independent 
identical  units  operate  simultaneously  with  a 
common  input  (Refs.  1 and  14) . A failure 
detector  is  associated  with  each  unit,  and  a 
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switch  is  connected  to  the  outputs.  All  units 
are  operating  initially,  and  the  output  of  one 
unit  is  used  until  that  unit  fails.  The  switch 
then  steps  to  the  next  operating  unit  and  re- 
mains there  until  that  unit  fails. 

Fig.  10-17  shows  a typical  switching  cir- 
cuit in  which  C represents  the  redundant  com- 
ponents and  D the  individual  detectors.  The 
reliability  block  diagram  has  the  same  form  as 
Fig.  10-17. 

The  following  assumptions  are  made: 

1.  There  are  m chains  ordered  1,...,  m 
and  all  m operate  from  the  initial  time  until 
each  fails. 

2.  The  stepping  switch  is  connected  so 
that  its  inputs  are  the  outputs  of  the  m 
chains;  the  output  of  the  switch  is  the  output 
of  the  system.  The  switch  operates  sequen- 
tially, starting  with  chain  l.The  switch  indi- 
cates when  all  m chains  have  failed. 

3.  A failuredetecting  device  operates  in 
conjunction  with  each  chain  and  performs  the 
following  functions: 

a.  If  failure  occurs  in  the  chain  to 
which  the  switch  is  connected,  a signal  is  sent 
immediately  to  the  switch,  causing  it  tost?p. 

b.  If  a failure  occurs  in  a chain  to 
which  the  switch  is  not  connected,  a signal  is 
stored;  and  if  the  switch  steps  to  that  chain,  it 
is  signaled  to  step  once  more. 

4.  No  time  is  consumed  by  the  failure- 
detecting and  switching  operations. 

5.  The  reliability  of  a chain  is  the  prod- 
uct of  the  reliabilities  of  its  components. 


Input 


output 


FIGURE  10-17.  System  of  m Redundant  Chains 
Illustrating  Operating  Redundancy1 


The  reliability  of  the  system  depends  on 
the  reliabilities  of  the  chains,  the  failure 
detectors,  and  the  switches.  For  the  detectors 
and  switches,  there  are  two  modes  of  behavior 
with  which  reliabilities  are  associated,  i.e., 

1.  Da  and  Sa  (Fig.  10-18):  the  device 
operates  when  failure  occurs.  This  function 
can  be  performed  only  once  for  each  chain, 
and  the  probability  is  defined  for  a single 
operation  that  takes  place  in  negligible  time. 

2.  Db  and  Sb  : the  device  does  not  spon- 
taneously operate  during  a period  of  time  in 
which  no  failure  occurs.  This  type  of  failure, 
like  a chain,  is  defined  for  the  length  of  time 
required  for  the  machine  to  complete  the  as- 
signed task. 

Therefore,  the  following  probabilities  are 
defined: 

1.  Rc  = s-reliability  of  the  chain,  i.e.,  the 
probability  that  it  performs  its  functions  ade- 
quately for  the  duration  of  the  assigned  task. 

2.  P{Da)  = conditional  probability  that 
when  a failure  occurs  in  a chain,  the  failure  is 
detected  and  a signal  is  sent  to  the  switch 
under  conditions  a or  b.  A consideration  in 
P(Da)  is  the  probability  that  the  switch  con- 
trol is  connected  to  the  error  detector  for  the 
chain  at  which  the  switch  is  positioned. 

3.  P(Db ) = conditional  probability  that 
when  no  failure  occurs  in  a chain  for  the  dura- 
tion of  the  task,  no  signal  is  transmitted  to 
the  switch  when  it  is  positioned  at  that  chain. 

4.  P{Sa)  = conditional  probability  that 
when  the  switch  receives  a failure  signal,  the 
connection  at  which  it  stands  is  broken  and  a 
good  connection  is  made  to  the  nest  chain. 

5.  P(Sb ) = conditional  probability  that  if 
the  switch  does  not  receive  a failure  signal  for 
the  duration  of  the  task,  it  does  not  step  at 
any  time  during  the  run.  If  it  does  step,  it 
makes  contact  on  the  next  chain. 

6.  P{SC)  = conditional  probability  that  if 
a good  connection  is  made  every  time  the 
switch  steps,  a good  connection  exists  be- 
tween some  chain  (or  the  device  indicating 
system  failure)  and  the  system  output  at  all 
times  during  the  run.  Switching  occurs  in  zero 
time. 

The  reliability  of  the  system  of  m redun- 
dant chains  is  defined  as  the  probability  that 
it  performs  the  assigned  task  successfully. 
This  occurs  if,  for  the  duration  of  the  task, 
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FIGURE  10-18.  Failure  Diagram  of  a Chain1 


the  switch  constantly  makes  a good  connec- 
tion to  a chain  that  is  functioning  adequately. 
This  can  take  place  in  m mutually  exclusive 
ways,  corresponding  to  the  final  connection 
to  the  m switch  contact. 

The  possible  modes  of  behavior  of  a chain 
are  diagrammed  in  Figure  10-18.  Successful 
operation  through  a given  chain  requires  that 
the  chain  function  adequately,  R,;  that  the 
failure  detector  not  signal  an  error,  P(Db ); 
that  the  switch  not  step  simultaneously  while 
connected  to  this  chain,  P{Sb );  and  that  the 
switch  contact  remain  good,  P(SC).  The  prob- 
ability of  successful  operation  is 

R1  = RcP(Db)P(Sb)P(Sc).  . (10-51) 

The  use  of  one  value  of  P(Sb ) for  the 
probability  of  no  spontaneous  stepping  of  the 
switch  frnn.  any  position  is  an  approximation. 
A precise  analysis  would  use  P{Sb ) as  pre- 
viously defined  only  for  the  first  chain  with 


successively  larger  values  for  this  probability 
for  chains  2,  ....  m.  The  final  computed  reli- 
ability is  actually  somewhat  lower  than  the 
correct  result.  However,  since  the  probability 
of  spontaneous  switching  in  all  practical  appli- 
cations is  very  small,  the  more  precise  analysis 
does  not  appear  to  be  warranted. 

A stepping  of  the  switch  can  occur  in 
three  ways  (the  symbols  are  for  probabilities 
rather  than  for  events): 

1.  The  chain  fails  (F , = 1 — Rc)\  the 
detector  signals  failure,  P[Da)\  and  the  switch 
steps,  P(SU ). 

2.  The  chain  does  not  fail,  R, ; but  the 
detector,  erroneously  signals  failure,  P{Db ) = 1 
— P(Db  );  and  the  switch  steps,  P(Sa ). 

3.  The  chain  does  not  fail,  Rc ; the  detec- 
tor does  not  sdgaal  failure,  Pl-D^);  but  the 
switch  steps  spontaneously,  P(Sb ) = 1 — 

P(Sb  )• 
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Thus,  the  probability  of  one  stepping  of 
the  switch  is 

a b(Fc)  P(Da ) P(Sa ) + Rc  P(D„  ) P(Sa) 

+ Rc  P(Sb  ) P(Db  ) . (10-52) 

There  are  several  modes  of  behavior  of 
one  chain  that  lead  immediately  to  system 
failure  without  any  failure  indication,  due  to 
a bad  switch  contact  P(5C),  to  failure  of  the 
switch  to  respond  to  an  error  signal  P{Sa ),  or 
to  failure  of  the  detector  to  indicate  failure 
P0a).  In  addition,  there  are  modes  of  behav- 
ior in  which  the  detector  and  switch  both 
make  errors  that  cancel  each  other.  These 
second-order  effects  will  be  arbitrarily  ruled 
out. 

The  probability  of  successful  operation 
with  the  final  connection  to  switch-contact  i 
is  equal  to  the  probability  of  (i—  l)-steppings 
of  the  switch  times  the  probability  of  success- 
ful operation  through  one  chain,  or  a0-1 1 . 

Then,  the  reliability  of  the  system  is  the 
sum  of  the  probabilities  for  the  m switch  con- 
tacts: 

JH  /l  — am  ') 

* = £ =R1\Y^r)  (10-53) 

i-  i 

where 

R1  =RaP(Db)P(Sb)P(Si;) 

RC  = 0 Ri  . (10-54) 

<=  i 

Because  all  P{  • ) < 1 , 

R<P(SC)  (10-55) 

R « 1-  (1-  Rc)m  . (10-56) 

In  the  present  application,  the  device, 
with  no  redundancy,  is  considered  to  have  a 
reliability  R,  . It  is  assumed  that  it  is  possible 
to  break  the  device  up  into  p groups  of  equal 
reliability,  R0llp  ■ It  is  further  assumed  that 
the  failure  detector  for  the  complete  device 
consists  of  p units,  each  associated  with  a 
group,  such  that  indications  of  failure  origi- 
nating from  any  of  these  units  are  equally 
probable.  Then,  if  P{Da ) and  P(Db  ) are  prob- 
abilities associated  with  the  failure  detector 
for  one  complete  device,  the  corresponding 


probabilities  for  the  units  associ?t.:d  with  a 
group  will  be  P{Da  )x  lp  and  ?{Db  )• lp  . If  each 
chain  is  made  n times  redundant,  the  system 
reliability,  for  perfect  failure  detection  and 
switching,  is 

Rs  = (1  -(1  -R01/p)n]p  . (10-57) 

The  exact  equations  are  complicated  and  are 
given  in  Refs,  land  14. 

Operating  redundancy  is  used  in  contin- 
uous time  applications  primarily,  but  it  can  be 
used  in  intermittent  situations  if  the  failure- 
detecting device  is  capable  of  signaling  the 
switching  mechanism  at  the  proper  time. 

The  performance  of  these  systems  in 
many  instances  will  be  limited  by  the  reliabil- 
ity of  the  failure-detecting  and  switching 
assemblies. 

Tables  and  charts  given  in  Ref.  1 4 can  be 
used  in  designing  systems  with  operating  re- 
dundancy: Given  an  estimate  of  the  initial 
unreliability  for  a nonredundant  system  and 
the  tolerable  unreliability  permitted  in  the 
final  system,  the  degree  of  redundancy  and 
the  number  of  chains  that  will  meet  the  speci- 
fications car  be  estimated  from  the  appropri- 
ate curves  in  the  reference. 

For  initially  unreliable  systems  and  a 
moderate  degree  of  redundancy,  high  reliabil- 
ity can  be  achieved  only  by  applying  the  re- 
dundancy to  relatively  small  units.  Imperfect 
switching  limits  the  reliability  attainable  in  all 
cases  such  that  the  unreliability  is  not  a stead- 
ily decreasing  function  of  p , but  has  a definite 
minimum  beyond  which  it  increases. 

10-4.3  DUPLEX  REDUNDANCY 

Duplex  redundancy  uses  duplicated  logic 
circuits  operating  in  parallel  (Refs.  1,1 3, and 
15).  It  has  an  error  detector  at  the  output  of 
each  circuit  which  detects  any  noncoincident 
outputs  and  starts  a diagnostic  procedure. 
This  procedure  may  last  from  a few  micro- 
seconds to  a tew  mill: seconds,  depending  on 
the  diagnostic  process  chosen  in  the  design. 
Figure  10-19  illustrates  the  duplex  scheme. 

If  the  exponential  failure  law  is  assumed, 
the  reliability  of  the  system  when  duplex 
redundancy  and  error  detection  is  used  is: 


10-19 


AMCP  706-197 


To  Computer 
or  External  Control 


FIGURE  10-19.  Illustration  of  Duplex  Redundancy’ 


R=e'T(  1 +<?•“'  - e'd + “>’■)  (10-57) 

where 

t = it  X (failure  rate  of  individual  circuit) 
n = the  number  of  circuits  in  sequence 
failure  rate  of  error  detector 
failure  rate  of  individual  circuits. 

Duplex  redundancy  can  be  used  in  digital 
computer  logic  circuits  to  protect  against 
faulty  outputs  from  basic  logic  elements. 
Duplex  redundancy  should  improve  digital 
system  reliability.  However,  the  system  wH 
not  automatically  correct  intermittent  errors 
or  two  simultaneous  failures. 

Features  of  a duplex  logic  redundancy 
system  are: 

1.  Basic  logic  circuitry  is  fully  redun- 
dant. 

2.  All  errors  are  detected  and  the  faulty 
logic  unit  is  disabled,  thus  correcting  the  er- 
ror. Faulty  logic  units  can  be  repaired  without 
interrupting  system  operation.  If  both  A , and 

A,  fail  at  the  same  time,  there  is  no  error 
detection;  however,  this  situation  is  very  un- 
likely to  occur. 

3.  The  system  is  disabled  only  when 
both  logic  units  fail. 

4.  The  error  detector  is  not  in  series  with 
the  output  signals;  hence,  its  failure  does  not 
affect  the  output. 

5.  Maintenance  problems  are  simplified 
since  the  faulty  logic  unit  can  be  identified 
automatically.  Rapid  identification  of  faults 
permits  rapid  replacement  of  failed  units. 


The  mam  disadvantage  of  duplex  redun- 
dancy is  the  need  for  a short  diagnostic  proce- 
dure in  the  event  of  failure.  Also,  in  order  to 
avoid  losing  essential  information,  it  may  be 
necessary  to  record  the  contents  of  important 
registers  and  the  input  data.  In  this  way,  after 
an  error  is  corrected,  the  original  situation  can 
be  restored. 
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CHAPTER  1 1 MONTE  CARLO  SIMULATION 


11-0  LIST  OF  SYMBOLS 

Cdf  = Cumulative  distribution  function 

pdf  = probability  density  function 
s-  = denotes  statistical  definition 
t = time  for  r failures 
Var{  } = Varianceof 

X;  = true  failure  rate  for  i 

A 

X,.  = estimated  failure  rate  for  i,  a ran- 
dom variable 

X2  = chi-square,  a special  random  vari- 
able 

11-1  INTRODUCTION 

In  formal  terms,  Monte  Carlo  simulation 
(often  just  called  simulation)  is  a method  of 
mathematically  simulating  a physical  experi- 
ment to  determine  some  probabilistic  proper- 
ty of  a population  of  events  by  the  use  of 
random  sampling  applied  to  the  components 
of  the  events;  see  Refs.  1-4  for  more  informa- 
tion. Less  formally,  simulation  involves  deter- 
mining the  probability  distributions  of  the 
components  of  the  system,  and  selecting  a 
random  sample  from  each  component  distri- 
bution. The  resultant  component  sample 
values  then  are  combined  in  a model  to  esti- 
mate the  system  reliability  measure.  This 
process  is  repeated  many  times  until  enough 
data  have  been  obtained  to  estimate  the  sys- 
tem probability  distribution  with  the  required 
precision.  The  measure  can  be  s-reliability  or 
mean  time  to  failure,  or  it  can  be  a perform- 
ance parameter  such  as  bandwidth,  gain, 
noise,  or  power  output. 

Simulation  can  be  applied  at  various 
phases  of  a program.  For  example,  if  actual 
performance  or  failure  data  are  available  on 
some  of  the  components,  the  distribution  of 
these  values  can  be  determined.  Then  by  ran- 
dom sampling  of  these  distributions  and  by 
combining  the  sample  values  into  a model  de- 
scribing the  system  in  terms  of  its  compo- 
nents, the  distribution  of  system  performance 
can  be  derived.  These  methods  also  can  be 
used  as  a prediction  and  analysis  tool.  For 
example,  during  the  system  conceptual  phase. 


a system  model  can  be  developed  in  terms  of 
its  components  and,  through  use  of  various 
assumed  component  distributions,  the  per- 
formance of  the  system  can  be  evaluated. 
Simulation  also  can  be  used  as  a comparative 
tool.  Through  simulation  of  various  systems 
and  their  component  distributions,  the  differ- 
ent types  of  systems  can  be  compared,  and  an 
optimum  approach  can  be  selected  with  a 
high  degree  of  assurance  that,  if  the  models 
used  to  describe  the  system  are  realistic,  the 
selection  truly  will  be  optimum. 

Simulation  is  based  on  several  principles 
of  probability  and  on  the  techniques  of  prob- 
ability transformations.  One  of  the  underlying 
principles  is  the  law  of  large  numbers,  which 
states  that  the  larger  the  sample,  the  more 
certainly  the  sample  mean  will  be  a good  esti- 
mate of  the  population  mean.  The  central- 
limit  theorem  gives  a more  precise  statement 
of  the  law  of  large  numbers  (there  are  several 
theorems  under  this  heading,  all  relating  to 
the  same  topic--see  Ref.  5 or  Bibliography  at 
end  of  Chapter  l)if  a population  has  a finite 
variance  o2  and  mean  ju,  then  the  distribution 
of  the  sample  (size  n)  mean  approaches  the 
s-normal  distribution  with  variance  a2  In  and 
mean  p as  the  sample  sizen  increases. 

An  interesting  thing  about  the  central- 
limit  theorem  is  that  nothing  is  implied  about 
the  form  of  the  population  distribution  func- 
tion. Whatever  the  distribution  function, 
within  reasonable  limits,  the  sample  mean  will 
have  approximately  the  s-normal  distribution 
for  large  samples. 

11-2  PROPERTIES  OF  DISTRIBUTIONS 

Chapters  2 and  3 introduced  the  concept 
of  probability  density  functions  [pdf ) for  con- 
tinuous random  variables,  the  probability 
mass  function  (pmf)  for  discrete  random  vari- 
ables, and  the  cumulative  distribution  func- 
tion (Cdf)  for  any  random  variable.  Text- 
books, such  as  Ref.  5 and  the  Bibliography  at 
the  end  of  Chapter  1 , give  an  adequate  intro- 
duction to  probability  theory. 

The  s-espectaction  of  the  average  of  N 
s-independent  trials  of  a function  of  g(Xj)  is 
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the  s-expectation  of  g(x),  where  X is  a 
random  variable. 

A generalization  of  the  law  of  large  num- 
bers comes  into  play  during  the  repeated 
Monte  Carlo  trials: 

lim  | Pr  {I  / g(x)f(x)dx 

) (11-1) 
- g(Xj)  I > e }|  = o 

where 

e = any  positive  number 
f(x)  = pdf  of  x 

g(x)  = any  function  of  x;  usually,  the 
one  being  simulated 
iV  = sample  size 
xf  = sample  value  of  X 

Eq.  11-1  shows  that  the  chance  of  depar- 
ture from  the  true  value  of  g(x),  weighted 
according  to  the  frequencies  of  the  x’s,  be- 
comes less  as  X increases. 

The  reasoning  can  be  extended  to  a func- 
tion of  many  variables. 

11-3  THE  SIMULATION  METHOD 

The  simulation  method  is  a way  to  deter- 
mine the  distribution  of  a function  of  one  or 
more  variables  from  the  distributions  of  the 
individual  variables.  The  method  involves  ran- 
dom sampling  from  the  distributions  of  all 
variables  and  inserting  the  values  so  obtained 
in  the  equation  for  the  function  of  interest. 
Suppose  the  function  whose  distribution  is  to 
be  estimated  is^(x1 , x2 , . . ) and  that  the 
Xx , X2 , . . Xn  are  s-independent  random 
variables  whose  distributions  are  presumed  to 
be  known.  The  procedure  is  to  pick  a set  of 
x’s  randomly  from  the  distributions  of  the 
„Y’s,  calculate  g for  that  set,  and  store  that 
value  of  g.  The  procedure  is  repeated  many 
times  until  enough  values  of  g are  obtained. 
From  this  sample  of  g values,  its  distribution 
and  parameters  can  be  estimated.  Very  often, 
one  settles  for  estimating  the  mean  and  stan- 
dard deviation  of  g. 

Simulation  is  a well  developed  art /science. 
It  is  virtually  always  done  on  a computer  be- 
cause a tremendous  number  of  calculations 


are  involved.  Special  simulation  languages 
have  been  developed.  Check  with  your  com- 
puter installation  to  find  out  what  simulation 
facilities  are  available,  and  what  programming 
assistance  that  installation  can  offer. 

11-4  MEASURES  OF  UNCERTAINTY 

Several  methods  are  available  for  estab- 
lishing s-confidence  intervals  and  estimating 
uncertainties  in  the  results  of  a simulation. 
They  are  essentially  the  same  as  in  any  sam- 
pling technique.  Chapter  4 reviews  some  of 
the  statistical  concepts  and  gives  references 
for  further  reading.  The  procedures  are  all 
quite  standard  and  well-known  (to  mathema- 
ticians). 

The  required  sample  size  for  a given  mini- 
mum uncertainty  is  a handy  number  to  have. 
It  is  useful  for  getting  an  idea  of  how  much 
computer  time  is  likely  to  be  involved.  For 
simulations  of  equipments,  the  programming 
and  analytic  effort  to  get  ready  to  simulate 
will  far  outweigh  the  cost  of  actually  running 
the  simulations.  Table  11-1  shows  typical 
sample  sizes  for  various  s-confidence  levels 
and  goodness-of-fit  (to the  Cdf). 


TABLE  11-1 


MINIMUM  SAMPLE  SIZE  REQUIRED 
FOR  MONTE  CARLO  SIMULATION6 


_j5_ 

v = 0.90 

y = 0.95 

y = 0.99 

0.01 

6800 

9600 

16500 

0.02 

1700 

2400 

4125 

0.03 

750 

1066 

1833 

0.05 

272 

384 

660 

6 = maximum  deviation  <x  sample  Cdf  from  true  Cdf 

7 = s-confidence  level 

This  table  is  derived  from  the  Kolmogorov-Smirnov  test  of 
goodnesssf-fit.  It  does  not  depend  on  the  form  of  the 
distribution. 


Since  theory  shows  that  the  Monte  Carlo 
technique  gives  a true  random  sample  of  the 
population  (function)  to  be  estimated,  there 
is  no  need  to  go  into  special  discussions  about 
the  statistical  theory. 
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All  random  distributions  used  for  digital 
computers  are  pseudo-random.  Since  a pat- 
tern is  used  to  generate  the  pseudo-random 
numbers,  modest  attention  ought  to  be 
devoted  to  being  assured  that  the  numbers 
will  behave  well  enough  for  your  particular 
simulation.  Rarely  in  reliability  work  will  dif- 
ficulties from  this  source  arise,  but  it  can  hap- 
pen. 

. 11-5  APPLICATIONS 

In  principle,  the  demonstration  of  the  reli- 
ability of  a system  is  a fairly  straightforward 
procedure.  Take  several  systems,  operate 
them  for  a sufficient  length  of  time,  record 
the  number  of  failures  which  occur,  and 
evaluate  the . results  by  one  of  a number  of 
available  statistical  techniques.  Unfortunately, 
this  is  not  practical  — particularly  for  dealing 
with  complex,  costly  systems.  Even  an  opti- 
mum mix  of  time,  available  systems,  man- 
power, and  test  facilities  is  often  economical- 
ly prohibitive. 

Because  of  the  complexity  of  many  sys- 
tems, extensive  tests  at  the  system  level  often 
are  limited  because  of  time,  facilities,  cost, 
and  schedules.  Instead,  extensive  testing  gen- 
erally is  done  at  the  subsystem  level.  This  per- 
mits testing  to  be  conducted  earlier  in  a pro- 
gram, and  reveals  potential  difficulties  at  the 
earliest  possible  time.  Two  management  and 


statistical  difficulties  arise  if  the  test  results 
are  to  be  used  to  assess  the  reliability  poten- 
tial of  the  system.  Such  tests  may  be  part  of 
the  design-development  program,  and  the  reli- 
ability data  obtained  may  be  a byproduct 
rather  than  the  end  result  of  the  test.  There- 
fore, there  is  no  longer  a controlled  condition 
in  the  statistical  sense,  and  the  analyst  is 
forced  to  work  with  the  information  that  be- 
comes available. 

The  synthesis  of  system  reliability  from 
the  results  of  subsystem  tests  is  not  a simple 
problem.  As  a rule,  each  subsystem  type  will 
be  run  a different  number  of  total  operating 
hours,  and  different  numbers  of  failures  will 
be  observed. 

To  illustrate  the  second  point,  consider  a 
simple  series  (l-out-of-3:F)  system  consisting 
of  3 s-Independent  subsystems,  with  the  oper- 
ating times  and  observed  failures  indicated  in 
Table  11-2. 

The  subsystems  have  constant  failure 
rates.  The  failure  rate  of  the  system  is  just  the 
sum  of  the  subsystem  failure  rates,  and  we 
could  try  the  same  formula  using  the  esti- 
mated failure  rates  from  Table  11-2,  viz. 

\ = (0.40  + 0.25  + 0.20)  per  1000  hr  = 

A 

0.85  per  1000  hr;  X is  an  estimate  of  the  fail- 
ure rate  X.  We  have  an  estimate  of  \ ; but,  (as 
mentioned  in  Chapter  4 “Review  of  Statistical 
Theory”)  the  trick  is,  not  to  get  an  estimate 


TABLE  11-2 

SUMMARY  OF  SUBSYSTEM  OPERATING  TIMES,  FAILURES,  FAILURE-RATE  ESTIMATES 
AND  s-CONFIDENCE  INTERVALS  FOR  FAILURE  RATES 


Total  operating 

Test  stopped 
after  r 

A 

X;  = rft, 

s-Confidenoe 
interval  for  X; 

Subsystem 

time  t,  hr 

failures 

per  1000  hr 

lower  5% 

upper  5% 

1 

5000 

2 

0.40 

0.071 

0.95 

2 

8000 

2 

0.25 

0.044 

0.59 

3 

10000 

2 

0.20 

0.036 

0.47 

System 

— 

0.85 

? 

? 

Xj  is  an  estimate  of  the  true  failure  rate  X,. 

The  s-confidence  intervals  were  obtained  from  a table  of  the  chi-square  distribution;  2 \ has  a chi-square 
distribution  with  2r  degrees  of  freedom.  From  tables  such  as  those  in  Part  Six.  Mathematical  Appendix  and 
Glossary,  for  4 degrees  <±  freedom,  the  lower  5%  point  is  x2  = 0.711  and  the  upper  5%  point  i x2  = 9-49. 

X bound  = x2/(2 t). 
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(anyone  can  do  that),  but  to  know  its  statis- 
tical properties.  Unfortunately,  the  statistical 
properties  of  the  estimate  we  just  used  are  not 
known.  The  statistical  properties  of  estimates 
of  system  reliability  from  a knowledge  of  sub- 
system sample  data  is  an  unsolved  problem 
(except  for  a few  special  cases). 

F or  each  subsystem,  it  is  known  that  2 At 
has  a chi-square  distribution  with  7 degrees  of 
freedom;  7 = 2r  if  the  test  is  stopped  after  r 
failures,  and  7 = 2(r  + l)if  the  test  is  stopped 
after  a fixed  time  t;  X is  the  true  failure  rate. 

We  will  solve  our  particular  problem  by 

A 

Monte  Carlo  simulation.  The  equation  forXs, 
whose  distribution  we  want  to  estimate  is 

X = X +X  +X  (11-2) 

In  each  subsystem,  the  procedure  is  to  run 
until  2 failures  occur.  We  cannot  simulate  un- 
less we  know  the  distributions  fern  which  the 

A 

X,  come.  So  we  cannot  solve  the  problem  in 
Table  11-2  by  a short  simulation;  we  can, 
however,  solve  a similar  one,  as  given  in  Table 
1 1-3.  We  have  to  know  all  the  parameters  in  a 
problem  in  order  to  solve  it  by  Monte  Carlo 
simulation.  It  is  neither  correct  nor  meaning- 
ful to  use  the  random  times  in  Table  11-2  to 
find  a “distribution  for  X”;  in  classical  statis- 
tics, X does  not  have  a distribution,  it  is  fixed. 
See  Ref.  7 for  an  advanced  discussion  of 
s-confidence. 

One  of  the  big  difficulties  with  Monte 
Carlo  simulation  is  that  it  is  so  restricted.  Like 
other  numerical  techniques,  it  does  not  an- 
swer general  questions;  it  only  treats  the 
specific  numbers  used  in  it. 

Let  X4  be  a random  value  from  a chi- 
square  distribution  with  4 degrees  of  freedom. 

TABLE  11-3 


SYSTEM  FAILURE  BEHAVIOR 


Subsystem 

True  failure  rate  X,-, 
per  1000  hr 

Test  stopped 
after  r failures, 
r 

1 

0.80 

2 

2 

0.50 

2 

3 

0.10 

2 

System 

1.40 

Then,  for  this  example 

X = r,/tt  = 2/f, 

(defines  X;)  (3.1-3) 

2Vf  = nlr  = X3 

, (2Xt  has  a x\r  distribution)  (11-4) 

X - 4Xf/xi  (11-5) 

n 

Eq.  11-5  is  used  to  calculate  X,  from  a ran- 
domly generated  value  of  chi-square  (with  4 
degrees  of  freedom).  Table  11-4  is  a collection 
of  pseudo-random  numbers  from  the  chi- 

TABLE  11-4 

RANDOM  NUMBERS  FROM 
THE  CHI-SQUARE 
DISTRIBUTION  WITH  4 DEGREES 
OF  FREEDOM 


No.  1 

No.  2 

No.  3 

11.73 

4.959 

6.134 

0.61  07 

3.858 

4.721 

2.628 

1.566 

7.891 

6.040 

6.393 

3.485 

21  06 

2.590 

1.867 

4.994 

4.870 

3.040 

2.1  35 

14.47 

4.920 

2.977 

3.897 

4.376 

3.172 

7.499 

1.331 

9.594 

1.331 

2.262 

5.751 

3.487 

3.083 

0.1846 

0.5026 

2.660 

9.423 

6.447 

2.254 

4.967 

0.31  00 

2.1  94 

6.093 

3.182 

5.509 

5.074 

7.010 

5.559 

4.347 

9.706 

1.177 

1.094 

1.498 

3.107 

3.696 

8.131 

4.455 

0.31  31 

7.743 

2.267 

0.4  130 

4.379 

4.907 

3.559 

7.291 

1.333 

2.523 

1.31  1 

6.51  1 

6.946 

10.32 

4.688 

1.571 

3.098 

0.9772 

18.71 

1.456 

3.709 

13.02 

2.405 

5.368 

7.036 

9.338 

4.61  9 

2.707 

1.767 

7.469 

6.049 

3.203 

2.261 
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TABLE  11-5 

MONTE  CARLO  ANALYSIS  OF  EXAMPLE  SYSTEM 


Subsystem  No.  1 

n 


Subsystem  No.  2 

Subsystem  No.  3 

System 

a ^2 

n ^3 

n 1 

3 

0.273 

12 

27 

5.240 

16 

21 

1.218 

24 

10 

0.530 

11 

24 

1.519 

21 

13 

0.641 

13 

23 

1.499 

1 

19 

1.075 

15 

18 

1.009 

7 

4 

0.334 

27 

11 

0.556 

17 

30 

17.335 

29 

5 

0.340 

10 

14 

0.644 

30 

8 

0.525 

19 

12 

0.631 

9 

15 

0.736 

3 

26 

2.925 

25 

16 

0.866 

5 

29 

10.219 

6 

28 

7.748 

14 

17 

0.899 

8 

22 

1.268 

28 

7 

0.461 

2 

25 

2.732 

20 

1 

0.171 

26 

2 

0.246 

22 

6 

0.455 

4 

20 

1.148 

23 

9 

0.529 

18 

sample 

mean 

X 

2126 

sample 

standard 

s 

3.664 

deviation 

six 

1.72 

1.403 

4 

0.063 

1 

0.739 

1.518 

10 

0.085 

26 

5.843 

1.277 

1 

0.051 

22 

2.546 

0.31  3 

16 

0.1  15 

5 

0.957 

0.772 

26 

0.214 

21 

2.506 

0.41  1 

19 

0.132 

8 

1.183 

0.138 

8 

0.081 

18 

1.718 

0.513 

14 

0.091 

17 

1.680 

0.267 

28 

0.301 

15 

1.576 

1.503 

22 

0.177 

19 

2.01  3 

0.574 

18 

0.130 

11 

1.260 

3.979 

20 

0.1  50 

30 

21.464 

0.310 

23 

0.177 

4 

0.827 

6.451 

25 

0.182 

27 

7.278 

0.629 

6 

0.073 

10 

1.226 

0.285 

5 

0.072 

6 

0.988 

0.206 

29 

0.340 

12 

1.282 

1.335 

17 

0.1  29 

25 

4.389 

0.246 

13 

0.090 

9 

1.202 

0.258 

21 

a 76 

29 

10.654 

0.457 

9 

0.082 

28 

8.286 

0.274 

27 

0.300 

14 

1.474 

1.526 

3 

0.061 

23 

2.856 

0.194 

11 

0.085 

2 

0.740 

0.646 

30 

0.409 

24 

3.787 

1.374 

15 

0.108 

16 

1.653 

0.832 

7 

0.075 

7 

1.152 

0.214 

12 

0 087 

3 

0.756 

1.132 

2 

0.054 

20 

2.333 

0.624 

24 

0.177 

13 

1.330 

0.922 

0.142 

3.190 

1.282 

0.091 

4.221 

1.39 

0.64 

1.32 

n is  the  order  number  in  the  sample. 


11-5 


AMCP  706-197 


square  distribution  with  4 degrees  of  freedom, 
as  required  in  Eq.  11-5.  They  are  pseudo- 
random because  they  exist  beforehand  (for 
us)  on  a sheet  of  paper.  Since  the  numbers  are 
pseudo-random,  a choice  must  be  made  on 
how  to  use  them.  Arbitrarily  pick  column  i 

A 

for  Xj,  i = 1,  2,  3;and  begin  at  the  top  and  go 
down  in  sequence.  We  will  hope  that  the 
method  of  generating  these  numbers  did  not 
have  a “cycle”  such  that  the  rows  contain 
highly  correlated  numbers. 

Table  11-5  contains  the  calculations  for 

A.  A A 

the  X,  and  for  \ ; \ is  derived  firm  Eq.  1 1-2. 

A 

The  estimate  of  X(  in  Table  1 1 -5  occupies  the 
same  relative  position  that  the  random  num- 
ber does  in  Table  11-4.  Column  4 in  Table 
11-5  contains  the  estimates  of  the  system  fail- 
ure rate.  At  the  bottom  of  each  column,  there 
is  the  sample  mean  x,_s.ample  standard  devia- 
tion s,  and  the  ratio  s/x. 

A 

As  to  be  expected,  the  mean  of  \ is  the 

A 

sum  of  the  means  of  the  X(.  But  the  variance 

A 

of  Xs  is  more  than  the  sum  of  the  variances  of 

A 

the  X,.  This  mean:  that  there  was  some  cor- 
relation along  the  rows.  A statistical  test 
showed  that  the  ratio  17.82/15.08  = 1.18  of 

the  Var  {X,  } /(Var  {X1}+Var  {X2  } + Var 

A 

{X3  })  would  be  exceeded  by  chance  about 
25%  of  the  time;  probably  not  too  bad. 

The  sample  Cdf's  are  plotted  (smoothed 
somewhat)  in  Fig.  1 1-1,  on  s-normal  distribu- 
tion paper  (ans-normal  Crf/would  appear  as  a 
straight  line).  Needless  to  say,  none  of  the 
distributions  are  s-normal.  The  pdf’s  are  all 
skewed  to  the  right;  there  are  some  very  large 
sample  values.  The  coefficient  of  variation 
(s/x)  is  more  than  1,  which  also  shows  the 
skewness  of  the  distributions. 


The  curves  for  Xf  would  all  be  the  same 
(except  for  scale)  if  very  large  samples  were 
used. 

The  tests  were  all  terminated  at  the 
second  failure.  Obviously,  there  is  a great  deal 
of  scatter  in  the  test  results. 

This  Monte  Carlo  trial,  by  hand,  has 
shown  the  shape  of  the  central  portion  (say, 
5%  to  95%)  of  the  distributions.  More  trials 
would  extend  that  range.  The  example  was  set 
up  to  use  only  one  probability  distribution 
for  the  trials;  this  was  for  convenience  in 
doing  hand  calculations.  In  practice  the  distri- 
butions need  not  be  the  same  for  all  elements. 
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CHAPTER  12  RELIABILITY  OPTIMIZATION 


12-0  LIST  <3F  SYMBOLS 


a,b,A 

/(x) 

g{<*) 

£f(x) 

Mx) 

r 

R,R, 

s- 

s 


x,xf 

X* 

xifxa 

*o 


ot, a i 
€ 

M; 
<PQ  ,0J,0 
4>T 


V 


= matrices  in  par.  12-2.2 
= some  function  of  x 

= see  Eq.  12-3 

= inequality-type  constraint  func- 
tion 

= equality-type  constraint  function 
= number  of  constraints 
= constraint  sets 
= denotes  statistical  definition 
= gradient  of  Ax),  subscript  / means 
value  at  iteration  i 

= vector  with  several  components, 
value  at  iteration  i 
— x for  global  minimum  off 
= individual  dimensions  (compo- 
nents of  x) 

= some  particular  x;  the  starting 
point  cf  x for  an  iterative  solution 
for  Ax) 

= scalar  parameter,  for  iteration  i 
= some  positive  number  (usually 
stall) 

* scalar  parameter  between  0 and  1 
= special  functions  (par.  12-3.6) 

* implies  transpose  of  0 ; x is  any 
vector  or  matrix 

= gradient  operator 


12-1  INTRODUCTION 

Seidom  is  it  feasible  to  optimize  a reliabil- 
ity function  of  a complicated  system  without 
using  a computer.  Thus,  most  of  this  chapter 
is  written  with  computers  in  mind.  Comput- 
er-aided design  techniques  offer  the  engineer 
relief  fxan  complicated  calculations.  Optimi- 
zation programs  can  apply  prespecified  con- 
straints and  determine  the  most  desirable 
component  values.  To  accomplish  these  tasks, 
the  computer  must  be  provided  with  a 
method  for  generating  alternate  values  for  the 
design  variables  and  some  measure  for  com- 
paring die  resulting  designs.  This  measure  is 
usually  a single  function  such  as  reliability, 
and  the  design  goal  is  to  optimize  its  value.  A 
design  which  does  this  is  called  optimal.  Meth- 
ods for  generating  alternate  solutions  that 
account  for  constraints  and  that  converge  to 
an  optimal  solution  generally  are  called  math- 


ematical programming  techniques. 

Mathematical  programming  techniques 
optimize  a given  objective  function  Ax)  by 
proper  choice  of  a vector  of  design  variables 
x.  If  x is  restricted  to  certain  allowable  values, 
then  the  problem  is  constrained;  if  not,  the 
problem  is  unconstrained. 

The  branch  of  mathematical  prograirming 
that  deals  with  linear  constraints  and  linear 
objective  functions  is  called  linear  program- 
ming. Since  it  is  widely  used  and  well  de- 
scribed elsewhere  (Refs.  1 and  2),  linear  pro- 
gramming will  not  be  discussed  here.  Instead, 
nonlinear  programming  problems,  i.e,,  those 
which  have  at  least  one  nonlinear  constraint 
or  a nonlinear  objective  function,  or  both, 
will  be  discussed.  Multistage  problems  which 
fall  under  the  heading  of  dynamic  program- 
ming will  also  be  considered. 

In  engineering  problems,  the  designer  of- 
ten wants  to  maximize  or  minimize  a function 
of  n variables,  Ax),  in  a situation  where  the 
design  constraints  do  not  restrict  the  values  of 
the  variables  x.  Many  problems  in  which  the 
constraints  are  binding  can  be  converted  to 
unconstrained  problems  or  sequences  of  such 
problems.  Since  the  problem  of  maximizing 
Ax)  is  equivalent  to  that  of  minimizing 
— Ax),  we  need  consider  only  the  minimiza- 
tion problem. 

A point  x*  is  said  to  be  a global  minimum 
of  Ax)  if,  for  all  values  of  x, 

Ax*)  < Ax)  . (12-1) 

If  the  strict  inequality  holds,  the  minimum  is 
said  to  be  unique.  If  Eq.  12-1  holds  only  for 
all  x in  some  neighborhood  of  x*,  then  x*  is 
said  to  be  a local  minimum  of  Ax),  since  in 
this  case  x*  is  the  best  point  in  the  immediate 
vicinity  but  not  necessarily  the  best  point  in 
the  whole  region  of  interest. 

If  Ax)  is  continuous  and  has  continuous 
first  and  second  partial  derivatives  for  all  x, 
the  first  necessary  condition  for  a relative 
minimum  at  x*  is  that  all  the  partial  deriva- 
tives of  Ax)  be  zero,  when  evaluated  at  x* 
(Ref.  3). 

= 0,  for  alii  (12-2) 

x* 


3Ax) 

3xf 
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The  second  necessary  condition  is  that  the 
matrix  of  second  partial  derivatives  evaluated 
at  x*  be  positive  semidefinite.  .Any  point  x* 
that  satisfies  Eq.  12-2  is  called  a stationary 
point  of  f(x).  Sufficient  conditions  for  a rela- 
tive minimum  are  that  the  matrix  of  second 
partial  derivatives  of  f(x)  be  positive  definite 
and  that  Eq.  12-2  must  hold. 

12-2  NUMERICAL  METHODS  FOR  FIND- 
ING UNCONSTRAINED  MINIMA 

The  most  obvious  approach  to  finding  the 
minimum  of  f(x)  is  to  solve  Eq.  12-2.  Tfftx)  is 
not  quadratic,  Eq.  12-2— the  set  of  n equa- 
tions in  n unknowns— is  nonlinear,  and  solving 
large  sets  of  nonlinear  equations  is  usually  a 
very  difficult  task.  The  function  f(x)  may  be 
so  complicated  that  it  is  difficult  even  to 
write  Eq.  12-2  in  closed  form.  Further,  even  if 
the  equations  could  be  solved,  there  would  be 
no  guarantee  that  a given  solution  represented 
an  actual  minimum  rather  than  some  saddle 
point  or  maximum.  We  will,  therefore,  consid- 
er other  methods  of  locating  unconstrained 
minima. 

12-2.1  GRADIENT  METHODS 

If  f{x)  is  continuous  and  differentiable,  a 
number  af  minimization  techniques  using  the 
gradient  of  f{x)  are  available.  The  gradient 
V f{x)  is  a vector  pointing  in  the  direction  of 
greatest  increase  of  f{x ).  At  any  point  x0  ,the 
vector  f{x)  is  normal  to  the  contour  of  con- 
stant function  value  which  passes  through  x0  . 
Two  methods  are  presented. 

12-2.1.1  Steepest  Descent 

The  method  of  steepest  descent  for  mini- 
mizing f(x)  is  detailed  in  Table  12-1.  In  Step 
2,  the  gradient  can  be  found  either  by  analyt- 
ic formulas  or  by  computing  differences.  Step 
3 uses  the  direction  of  search  determined  in 
Step  2 and  decides  how  far  to  move  in  this 
direction.  The  computer  spends  most  of  its 
time  computing  the  gradient  in  this  method, 
so  the  step  length,  a;  for  Step  / is  selected  to 
get  the  largest  possible  decrease  in  f(x)  for 
each  gradient  computation.  Therefore,  a,  is 
selected  to  minimize  the  function 

g(a)  =f(x,.  + a S;)  . (12-3) 


Define  also, 

s ,«-7/(xf),  (12-4) 

the  gradient  of  f.  Both  x,  and  s,  are  known 
vectors;  a is  the  only  unknown  variable  in  Eq. 
12-3. 

The  method  of  steepest  descent  converges 
to  at  least  a local  minimum  of  f{x ),  providing 
certain  mild  restrictions  are  met  (Ref.  5).  The 
computations  in  Steps  2,  3,  and  4 of  the 
steepest  descent  method  are  repeated  until  a 
satisfactory  value  for  x is  found. 

Several  tests  for  determining  when  the 
computation  should  be  stopped  are  also  listed 
in  Table  12-1.  Stop  Criteria  land  2 are  based 
on  the  fact  that  the  gradient  vanishes  at  a 
minimum.  When  Criteria  3 and  4 are  used,  the 
computation  will  stop  if  the  function  value  or 
current  point  changes  by  less  than  some  stall 
value  e.  It  has  been  found  that  Criterion  3 is 
the  most  dependable,  providing  it  is  met  for 
several  successive  values  of  i.  In  all  criteria,  e 
is  a stall  positive  number  which  the  user  se- 
lects. As  e decreases,  the  location  of  the  mini- 
mum is  more  accurate,  but  more  iterations  are 
required  to  achieve  this  accuracy. 

12-2.1.2  Cubic  and  Quadratic  Interpolation 

Finding  a value  a*  to  minimize  Eq.  12-3 
can  be  thought  of  as  a problem  of  1 -dimen- 
sional minimization  in  the  direction  of  s(.  The 
cubic  interpolation  procedure  outlined  in 
Table  12-1  solves  this  problem  for  any  given 
direction  of  s?  in  which  the  function  f{x)  ini- 
tially decreases. 

For  the  cubic  interpolation  procedure  and 
the  quadratic  interpolation  which  follows,  the 
components  of  x are  scaled  so  that  a unit 
change  in  any  variable  is  bo  important  (but 
not  too  large)  fractional  change  in  that  vari- 
able. For  example,  if  a capacitor  is  expected 
to  have  a value  near  100qF,  then  a IqF 
change  would  be  important,  but  a lOqF 
change  would  be  too  large. 

Steps  1 and  2 of  the  cubic  interpolation 
procedure  normalize  s so  that  its  components 
are  less  than  or  equal  to  1 in  magnitude.  This, 
along  with  scaling,  insures  that  s is  a reason- 
able change  in  x.  Step  3 moves  along  the  di- 
rection s to  place  the  desired  minimum  value 
a*  in  the  interval  a < a*  < b.  Steps  4 through 


12-2 


TABLE  12-1 

OPTIMIZING  UNCONSTRAINEDPROBLEMS 


AMCP  706-197 


Method  of  Steepest  Descent 

L Start  the  computation  at 
ome  initial  point  x0,  usually  the 
lest  a\ailable 'estimate  of  the  rrini- 
num.  The  ith  iteration  (i  = 0,  *■  > ^> 

.)  proceeds  as  follows. 

2.  Compute  the  gradient 

f(x,)  and  let  the  current  direction 
f search  be  s,  = — V f(x,). 

3.  Compute  a step  length  a,  by 
choosing  a,  to  minimize  f(x{  + asf). 
Cubic  and  quadratic  interpolation 
procedures  are  detailed  below. 

4.  Compute  a successor  vector 
for  x.-: 

xi+ 1 - xi  +<Vi 

5.  Check  a stop  criterion  (see 
lelow).  If  it  is  satisfied,  stop. 
Itherwise,  return  to  step  2 and  re- 
tlace  i by  i + 1. 

‘ossible  Stop  Criteria  for  Terminat- 
ng  Computation 


3.  f{xi)-f(xi+1)<  e 

4.  Man  (|x(+1  - x{\)}  < e 

Cubic  Interpolation 

1.  Calculate.  A,  the  maximum 
value  of  \Sj\. 

2.  Divide  each  component  of 
the  vector  s by  A. 

3.  Compute g(a)  andg(a)  “s' 
V f{x  + as)  for  a - 0,  1,  2,  4,  — a, 
b,  w here  b is  the  first  of  these  val- 
ues at  which  either  g is  non  negative 
or  g has  not  decreased.  If  £(1)  » 
g(0),  divide  the  components  of  s by 
some  factor  (2  or  3)  and  reoeat  this 
step. 


2 


4.  Compute 

„ g(a)  -gib)  4.  ,,  , , , 

3 — rg(o)  + g(b) 

o — a 


5.  Compute 


w - [z2  — g' (a)g  ib)]v’ 


6.  Compute 

g’(b)  +W~2 
g\b)-g'(a)+2w 


{b-a) 


7.  If  g(ae)  < g(a)  and  g(ae)  < 
g(b),  accept  ae  as  the  desired  mini- 
mum value  a*. 

8.  If  g(ae)  > g(a)  or  g’(ae)  > 
0,  repeat  steps  4 through  6 using  b 

* CL  . 
e * 

9.  Otherwise,  repeat  steps  4 
through  6 using  a * ae. 


Quadratic  interpolation 

1.  Calculate  A,  the  maximum 
value  of  \Sj  I. 

2.  Divide  each  component  of 
the  vector  s by  A 

3.  If  g(l)>£(0),  compute  £(<*) 
for  a - ‘A, Vi,  ...  until  g(a)  < g( 0). 
Set  a - 0,  b = a,  and  c m 2a  and  go 
to  step  5. 

4.  Compute  g( a)  fora  - 0,  1, 

2,  4,  8, ....  a,  b,  c.  Stop  the  compu- 
tation at  a ■ c when  the  present 

v alue  of  g( a)  is  greater  than  the  last 
computed  value. 

5.  Compute 

m m 

Vi[g(a)(c2  - b2)  + g(b)(a2  -c2) 
+ g(c)(b2  — a2)] 

-5-  [£(a)(c  - b)  + g(b)(a  - c) 

+ g(c)(b-a )] 

6.  If  g(ae ) < g(b),  accept  ae  as 
the  desired  minimum  value  a*; 
otherwise  accept  b as  the  desired 
value  a*. 


The  Fletcher-Poweii  Method 

1.  Start  with  a positive  defin- 


ite matrix  H0  (usualh  chosen  as 
the  identity  matrix)  and  an  initial 
point  x0.  The  ith  step,  i * 0,  1, ... 
proceeds  as  follows. 

2.  Compute  the  gradient, 
V fix,). 

3.  Compute  the  direction: 

Sj  - — H,  7 

4.  Choose  a step  length  a,  to 
minimize  g(cc)  * f(x,  + as,).  See 
cubic  or  quadratic  interpolation 
procedure  above. 

5.  Compute  d,  - 

6.  Compute  a new  value  xi+  , 
from  the  relationship 


4"  a X 


7 , Compute 
Ff-Vrtf i+1) 


8. 


9. 


V fix,) 

Compute  the  matrix 


°i  y, 


trix 


Compute  the  matrix 
B,  - — — — - — 

y^y, 

10.  Compute  the  successor  ma 

Hi+ 1 - H,  4-  A,  + B, 

11.  Check  the  stop  criterion.  I. 
it  k satisfied,  stop.  Otherwise,  re 
turn  to  step  2,  using  the  successoi 
matrix  as  the  new  H, , and  replace 

by  i + l. 

The  Conjugate  Gradient  Method 


1.  Start  with  an  initial  vector 
of  variables  x0  and  an  initial  direc- 
tion F0  - — V f(x0).  The  ith  step  (j 
- 0,  1,  2, ...)  proceeds  as  follows. 

2.  Choose  a step  length  a,  to 
minimize 

g(a)  - f(x \ + as,) 

See  cubic  or  quadratic  interpolation 
procedure  above. 
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TABLE  12-1  (cont'd) 

OPTIMIZING  UNCONSTRAINED  PROBLEMS 


3.  Compute  a new  vector  of  Powell's  Method 
variables, 


*;+ 1 “*j  + aisi 

4.  Compute  V f(xi+ x ). 

5.  Compute 
Vf'(xi+1)  Vf(xi+1) 

B‘~  V /"(*,)  V/(*t) 

6.  Compute  a successor  direc- 
tion, 

si+i  +13 

7.  Check  a stop  criterion.  If  it 
is  satisfied,  stop.  Otherwise,  return 
to  step  2 and  replace  / by  / + 1 


1.  For  r - 1,2, ...,  n,  calculate 
af  so  that  f(xr, t + asr)  is  a mini- 
mum ("see  cubic  or  quadratic  inter- 
polation procedure)  and  define 

+ <Vr 

2.  Find  the  integer  m , 1 < m 

<n,  so  that  -f(xm)]  is  a 

maximum,  and  define 

3.  Calculate^  m f( 2xn  — x0) 
and  define  /q  - f(x0)  and  f2  m 


4.  If  f3  >fx  or  if  {fl  ~2f0  + 

/3)-  A)2  > * A-  «i  - 

^i.2,  or  both,  use  the  old  directions 
s1^2»  -i  s,  for  the  next  iteration 
and  use  xn  as  the  next  x0 . 

5.  If  neither  condition  in  step 
4 bolds,  define  S’  = (rn  — r0),  and 
calculate  cv  so  that  f(xn  + as)  is  a 
minimum  (see  cubic  or  quadratic 
interpolation  procedure). 

...,  s’  as  the  directions  for  the  next 
iteration  and  xn  - as  for  the  next 


6 fit  a cubic  polynomial  to  the  computed 
values  g(a) . g(a),  g(»  and  g'(b>.  This  polyno- 
mial has  a unique  minimum  located  at  cte  in 
the  interval  between  a and  b.  In  Step  7,ae  is 
taken  as  the  desired  value  of  cy*  if  cy,  is  a 
better  choice  than  either  a or  b.  If  not,  the 
interpolation  is  repeated  over  a smaller  inter- 
val in  Steps  8 and  9. 

If  derivatives  are  not  available  or  are  diffi- 
cult to  compute,  the  quadratic  interpolation 
procedure  can  be  used  for  ldimensionalnrirri.- 
mization.  Step  5 of  this  procedure  fits  a quad- 
ratic polynomial  to  the  three  values  g(a)  ,g(b)  , 
m<Xg(c).  The  xrriniinum  of  this  polynomial  is 
located  at  ae . 

The  most  that  can  be  guaranteed  by  the 
steepest  descent  method,  or  any  other  itera- 
tive minimization  technique,  is  that  it  will 
find  a local  minimum,  usually  the  one  "near- 
est" to  the  starting  point  x0 . To  attempt  to 
find  all  local  minima  (and  thus  the  global  min- 
imum) , the  usual  approach  is  to  repeat  the 
minimization  from  many  different  initial 
points. 

12-2.1.3  Numerical  Difficulties 

Since  successive  steps  of  the  method  of 
steepest  descent  are  orthogonal,  some  func- 
tions converge  very  slowly.  IF  the  function 


contours  are  circles  (or,  in  the  n-dimensional 
case,  hyperspheres),  the  method  finds  the 
minimum  in  one  step.  However,  for  other 
contours,  the  gradient  direction  is  generally 
quite  differeni  franthe  direction  to  the  mini- 
mum, and  the  method  produces  the  ineffi- 
cient zig-zag  behavior  shown  in  Fig.  12-1. 
Since  many,  if  not  most,  of  the  functions 
occurring  in  practical  applications  have  eccen- 
tric or  nonspherical  contours,  we  often  must 
turn  to  more  efficient  methods  than  steepest 
descent. 


12-2.2  SECOND-ORDER  GRADIENT 
METHODS 

A number  of  minimization  techniques 
have  been  developed  to  overcome  the  difficul- 
ties of  the  method  of  steepest  descent.  The 
general  notion  behind  these  techniques  is  that 
methods  which  quickly  and  efficiently  mini- 
mize a general  function  nust  fulfill  two  crite- 
ria. They  must  work  well  on  a quadratic  func- 
tion, and  they  must  be  guaranteed  to  con- 
verge (eventually)  for  any  general  function. 
These  criteria  are  based  on  the  observation 
that,  since  the  first  partial  derivatives  of  a 
function  vanish  at  the  minimum,  a Taylor 
series  expansion  about  the  minimum  x*  yields 
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tig-zag  line  shows  the  path  taken  by  a steepest 
descent  procedure  seeking  the  minimum  value  of 
this  function. 

FIGURE  12-1.  Finding  the  Minimum  Using  the 
Steepest  Descent  Method' 


fix)  - f(x*)  + Vfc(x  - X*F  H/,(x*)(x  - x*), 

(12-5) 

where 

T indicates  the  transpose  of  a matrix 

and 

H^x*)  = matrix  of  second  partials  of  f 
evaluated  at  x*. 

H,  is  assumed  to  be  positive  definite;  thus,  the 
function  behaves  like  a pure  quadratic  in  the 
vicinity  of  x*. 

12-2.2.1  Conjugate  Directions 

Most,  if  not  all,  of  the  newer,  more  effi- 
cient unconstrained  minimization  procedures 
are  based  on  the  idea  of  conjugate  directions 
(Refs.  6-8). 


The  general  (positive  definite)  quadratic 
function  can  be  written  as 

q(x)  = a + bT  x + xT  Ax  (12-6) 

where  the  matrix  A is  positive  definite  and 
symmetric.  The  procedure  for  finding  the 
minimum  value  <?(x*)  consists  cf  starting  at 
some  initial  point  x0  and  taking  successive 
steps  along  the  directions  s0,  s:  , ,sn.1  .All 
these  directions  are  chosen  to  be  A-conjugate; 
i.e.,  for  all  / fj,  i,  j = 0,  1,  ••  • , n — 1, these 
directions  satisfy  the  relationship 

sTAs,  = 0 . (12-7) 

Successive  points  in  the  minimization  proce- 
dure are  computed  fccm 

xj+1  =Xj  +oq$f.  (12-8) 

As  in  the  steepest  descent  method,  the  value 
of  the  step  size  a,-  is  found  by  minimizing 
fi*i  + 

It  can  be  shown  that,  regardless  of  the 
starting  point,  this  sequential  process  leads  to 
the  desired  minimum  value  of  <?(x*)  in  n steps 
or  less  (where  n is  the  number  of  variables  in 
the  vector  x)  (Ref.  8).  Thus,  conjugate  direc- 
tions minimize  a quadratic  very  efficiently. 

12-2.2.2  The  Fletcher-Powel:  Method 

The  method  presented  by  Fletcher  and 
Powell  (outlined  in  Table  12-1 ) is  probably 
the  most  powerful  general  procedure  now 
known  for  finding  a local  minimum  of  a gen- 
eral function  fix)  (Refs.  8 and  9). 

Central  to  the  method  is  a symmetric, 
positive  definite  matrix  H„  which  is  updated 
at  each  iteration,  and  which  supplies  the  cur- 
rent direction  of  motion  s;  when  multiplied 
by  the  gradient  vector.  The  numerators  A, 
and  B;  in  Steps  8 and  9 of  the  Fletcher-Powell 
method  are  both  matrices,  while  the  denomi- 
nators are  scalars.  Fletcher  and  Powell  have 
demonstrated  that  their  method  will  always 
converge,  since  the  objective  function  f is  ini- 
tially decreasing  along  the  direction  s,.  When 
the  method  is  applied  to  a quadratic  (Eq. 
12-5) , the  directions  s,  are  A-conjugate,  and 
the  process  converges  to  a minimum  in  n 
steps.  The  matrix  Hf  converges  to  the  inverse 
matrix  A-1  after  n steps.  When  applied  to  a 
general  function,  ffy  tends  to  become  the 
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inverse  of  the  matrix  of  second  partial  deriva- 
tives of  f{x.)  evaluated  at  the  optimum. 

Numerical  tests  bear  out  the  rapid  conver- 
gence of  tliis  method.  Consider,  for  example, 
the  function 

f(*aAb  ) = lOCH*;,  - *|)2  + (1  - xb  )2 

(12-9) 

This  is  called  the  Rosenbrock  function  (Ref. 
10).  Its  contours  are  shown  in  Fig.  12-2.  The 
minimum  is  at  (1,1))  and  the  steep  curving 
valley  along  xb  = x\  makes  minimization  dif- 
ficult. The  paths  taken  by  the  optimum  gradi- 
ent technique  and  by  the  Fletcher-Powell 
method  are  alsc  in  Fig.  12-2.  Notice  that  the 
Fletcher-Powell  technique  follows  the  curved 
valley  and  minimizes  very  efficiently. 

Another  conjugate  direction  minimization 
technique  is  the  conjugate  gradient  method, 
outlined  in  Table  12-1.  It  requires  computa- 
tion of  the  gradient  of  /(x)  and  storage  of 
only  one  additional  vector,  the  actual  direc- 
ticn  of  search  (Ref.  9).  Urns  method  is  not 
quite  as  efficient  as  the  Fletcher-Powell  tech- 
nique but  requires  much  less  storage,  a signifi- 
cant advantage  when  the  number  of  variables 
n is  large  (Ref.  9). 

There  are  a number  of  minimization  tech, 
niques  that  do  not  require  derivatives. 
Powell's  method  seems  to  be  the  most  effi- 
cient of  these  (Refs.  8 and  9).  In  this  method, 
outlined  in  Table  12-1,  each  iteration  requires 
n ldimensional  minimizations  down  n linear- 
ly independent  directions,  s1  ,s2,  ***,  sn  .As  a 
result  of  these  minimizations  a new  direction 
s is  defined.  If  a specified  test  is  passed,  s 
replaces  one  of  the  original  directions.  The 
process  usually  is  started  firm  the  best  esti- 
mate of  the  minimizing  x using  the  initial  s(’s 
as  the  reference  coordinate  directions. 

12-3  CONSTRAINED  OPTIMIZATION 
PROBLEMS 

In  constrained  minimization  problems, 
the  variables  x may  take  on  only  certain  al- 
lowable values.  In  Fig.  12-3,  for  instance,  the 
unshaded  area  is  the  set  of  allowable  values  of 
variables  xa  and  xb  , called  the  constraint  set. 
This  is  the  set  of  all  points  satisfying  the 
inequalities  xa  > 0,  xb  > 0,  gt  (x)  > 0,  and 
g2(x)>0. 


A general  programming  problem  may  have 
equality  constraints  as  well  as  inequality  con- 
straints. Equalities  often  describe  the  opera- 
tion of  a system,  while  inequalities  define 
limits  within  which  certain  physical  variables 
must  he.  Thus  the  general  problem  of  con- 
strained minimization  can  be  posed  as  one  of 
minimizing  the  objective  function  f(x)  subject 
to  inequality  and  equality  constraints: 

g.(x)  < 0 i = 1,2,  ••  •,  s 1 

f (12-10) 

ft/(x)  = 0 / = 1,  2,  •••  , r 1 

When  the  functions  f,  gt,  and  /x;.  are  all  linear, 
the  problem  is  one  of  linear  programming;  if 
any  of  the  functions  are  nonlinear,  the  pro- 
gramming problem  is  nonlinear. 

Constrained  optimization  problems  are 
generally  more  difficult  to  solve  than  those 
without  constraints.  However,  it  is  sometimes 
possible  to  eliminate  inequality  constraints  by 
appropriate  transformations.  A number  of 
transformations,  as  well  as  sequences  of  trans- 
formation, have  been  found  useful  (Ref.  10). 

12-3.1  NONLINEAR  CONSTRAINTS 

A specific  nonlinear  programming  prob- 
lem is  shown  in  Fig.  124.  The  constraints  we 
all  linear  inequalities  (xx  >0,  x2  > 0, 
5 -x1-x2>0,  — 2.5  + xx  — x2  < 0) 
which' form  a constraint  set  with  four  corners. 
The  nonlinear  objective  function,  represented 
by  a set  of  concentric  circles,  is 

f(x)=(xl  -3)2  +(x2  -4)2.  (12-11) 

The  minimum  value  of  f[x)  corresponds  to 
the  contour  of  lowest  value  having  at  least 
one  point  in  common  with  the  constraint  set. 
This  is  the  contour  labeled  f(x)  = 2 , and  the 
desired  solution  is  at  its  point  of  tangency 
with  the  constraint  set  (xjf  = 2,  x$  =3); 
this  is  not  a corner  point  of  the  set,  although 
it  is  a boundary  point  (for  linear  programs, 
the  minimum  is  always  at  a corner  point).  Fig. 
12-5  shows  what  happens  to  the  problem 
when  the  objective  function  is  changed  to 

f(x)  = (xx  — 2)2  + (x2  -2)2. 

(12-12) 

The  minimum  is  now  at  xf  = 2,  x%  =2, 
which,  is  not  even  a boundary  point  of  the 
constraint  set.  Therefore,  this  problem  could 
have  been  solved  as  an  unconstrained  minimi- 
zation of  f(x). 
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The  Fletcher-Powell  procedure  found  the  minimum  in 
17  computational  iterations.  The  optimum  gradient 
technique  required  67  iterations. 


FIGURE  72-2.  Comparison  of  Fletcher-Powell  and  Optimum  Gradient 
Techniques  for  Minimizing  a Difficult  Function 9 
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Allowable  values  for  the  variables  in  a problem  may 
be  limited  or  constrained.  The  area  within  four 
boundary  curves  is  called  the  constraint  set. 

FIGURE  12-3.  Constraint  Set 


When  the  minimum  value  of  the  objective  function  is 
inside  the  constraint  set,  the  constraint  does  not  af- 
fect the  solution.  Here  the  point  fix)  = 0 is  the  de- 
sired minimum  value. 


* 


fix)  - O f(x)  - 0.67 


Values  of  the  nonlinear  objective  function,  which  is 
to  be  minimized,  are  shown  as  concentric  circles. 
The  constrained  minimum  is  one  of  these  lines. 

FIGURE  12-4.  Nonlinear  Programming  Problem 
With  Constrained  Minimum* 


FIGURE  12-5.  Nonlinear  Programming  Problem 
With  Objective  Function  inside  the  Const/aint  Set 4 


As  an  example  of  a nonlinear  problem  in 
which  local  optima  occur,  consider  an  objec- 
tive function  with  two  minima,  both  of  which 
fall  within  the  constraint  set  so  that  there  are 
two  local  minima.  Contours  of  such  a func- 
tion are  like  those  shown  in  Fig.  12-6. 

The  chief  nonlinearity  in  a programming 
problem  often  appears  in  the  constraints  rath- 
er than  in  the  objective  function.  The  con- 
straint set  will  then  have  curved  boundaries.  A 
problem  with  nonlinear  constraints  can  very 
easily  have  local  optima,  even  if  the  objective 
function  has  only  one  unconstrained  mini- 
mum.' This  is  demonstrated  in  Fig.  12-7, 
where  there  is  a nonlinear  objective  function 
with  a nonlinear  constraint  set  that  gives  local 
optima  at  the  two  points  a and  b.  No  point  of 
the  constraint  set  in  the  immediate  vicinity  of 
either  point  yields  a smaller  value  of  f(x). 
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From  these  examples  we  can  see  that  the 
optimum  of  a nonlinear  programming  prob- 
lem vdH  not  necessarily  be  at  a comer  point 
of  the  constraint  set  and  may  not  even  be  on 
the  boundary.  In  addition,  there  may  be  local 
optima  distinct  from  the  glcfcal  optimum. 
These  properties  are  direct  consequences  of 
the  nonlinearity.  However,  a class  of  nonlin- 
ear problems  can  be  defined  which  are  guaran- 
teed to  be  free  of  distinct  local  optima.  These 
are  called  convex  programming  problems. 
Before  some  of  the  specific  methods  of  solv- 
ing constrained  minimization  problems  are 
described,  the  concept  of  convexity  and  its 
implications  for  nonlinear  programming  vail 
be  discussed. 

12-3.2  CONVEXITY 

There  are  several’reasons  why  the  con- 
cepts of  convexity  and  convex  functions 
(which  will  be  defined  in  this  paragraph)  are 
important  in  nonlinear  programming.  It  is 
usually  impossible  to  prove  that  a given  proce- 
dure will  find  the  global  minimum  of  a non- 
linear programming  problem  unless  the  prob- 
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x , 


There  may  be  more  than  one  minimum  point  within 
the  constraint  set.  Here,  f(x)  = 4 and  f (x)  = 3 are 
both  constrained  minima,  but  f(x)  = 4 is  only  local 

FIGURE  12-6.  Local  Minimum* 


Here  the  constraint  set  has  curved  boundaries  which 
cause  the  local  minimum  f(x)  to  be  40;  the  global 
minimum /(x)  in  this  case  is  15. 

FIGURE  12-7.  Local  Minima  Due  to  Curved 
Constraints 4 

lem  is  convex.  Even  though  there  are  many 
real-world  problems  that  are  not  convex,  re- 
sults obtained  under  convexity  assumptions 
often  can  give  insight  into  the  properties  of 
more  general  problems.  Sometimes,  such  re- 
sults even  can  be  carried  over  to  problems 
that  are  not  convex,  but  in  a weaker  form.  In 
fact,  few  important  mathematical  results  have 
been  derived  in  the  programming  field  with- 
out assuming  convexity. 

Convexity  thus  plays  a role  in  mathemati- 
cal programming  which  is  similar  to  the  role 
of  linearity  in  the  study  of  dynamic  systems, 
where  many  results  derived  from  linear  theory 
are  used  in  the  design  of  nonlinear  control 
systems. 

The  main  theorem  of  convex  program- 
ming is  that  any  local  minimum  of  a convex 
programming  problem  is  a global  minimum.  If 
the  problem  has  a number  of  points  at  which 
the  global  minimum  exists,  the  set  of  all  such 
points  is  convex,  and  no  distinct,  separate, 
local  minima  with  different  functional  values 
can  exist.  This  is  a very  convenient  property 
since  it  greatly  simplifies  the  task  of  locating 
the  global  minimum. 

A set  of  points  is  convex  if  the  line  seg- 
ment joining  any  two  of  these  points  remains 
in  the  set.  In  Fig.  12-8,  sets  A and!?  are  con- 
vex, while  C is  not.  A convex  set  can  be 
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A linear  constraint  set  is  always  convex. 


FIGURE  12-8.  Convex  and  Nonconvex  Sets' 


thought  of  as  one  whose  walls  do  not  bulge 
inwards.  The  constraint  set  of  a linear  pro- 
gramming problem  is  always  convex. 

In  the  multidimensional  case,  these  geo- 
metrical ideas  must  be  formulated  in  algebraic 
terms.  In  particular,  the  line  segment  between 
two  points  must  be  defined.  If  the  two  points 
are  xl  and  x2,  the  segment  between  them  is 
the  set 

S = {x|x  = Xxx  + (1  - X)x2 , 0 < X < 1)  . 

(12-13) 

If  X = 0,  x = x,;  jfX  = l,  x=x1;asX  varies 
between  these  extreme  values,  x moves  along 


the  line  joining  xl  and  x,.  This  can  easily  be 
verified  in  two  or  three  dimensions. 

A function  f(x)  is  convex  if  the  line  seg- 
ment drawn  between  any  two  points  on  the 
graph  of  the  function  never  lies  below  the 
graph.  If  the  line  segment  never  lies  above  the 
graph,  the  function  is  concave.  Examples  of 
concave  and  convex  functions  are  shown  in 
Eig.  12-9.  The  left  function  is  strictly  convex, 
since  the  line  segment  is  always  above  the 
function;  the  right  function  is  strictly  con- 
cave. A linear  function  is  both  convex  and 
concave,  but  neither  strictly  convex  nor  strict- 
y concave. 


Convex  function 


A linearfunction  is  both  convex  and  concave. 
FIGURE  12-9.  Concave  and  Convex  Functions4 
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Algebraically,  a function  f(x)  is  convex  if 
/(Xx1  + (l-\)x2)  < X^)  + (1  - \)f{x2) 

(12-14) 

for  all  x,  , x2  in  the  (convex)  domain  of  defi- 
nition of  f.  The  function  is  strictly  convex  if 
the  strict  inequality  holds. 

A convex  programming  problem  is  one  of 
minimizing  a convex  function  over  a convex 
constraint  set.  As  we  mentioned  earlier,  the 
main  theorem  regarding  such  programs  is  that 
any  local  minimum  of  a convex  programming 
problem  is  a global  minimum.  Furthermore,  if 
there  are  a number  of  points  at  which  the 
glcbal  minimum  is  attained,  the  set  of  all  such 
points  is  convex.  Thus,  there  can  be  no  sepa- 
rated local  minima  with  different  functional 
values.  Since  most  procedures  can  locate  only 
local  minima,  these  properties  are  very  advan- 
tageous. The  theorems  of  convexity  (Refs.  11 
and  12)  listed  in  Table  12-2  allow  this  to  be 
done  in  some  cases. 

As  a consequence  of  convexity  theorems 
1 and  2,  the  problem  of  minimizing  a convex 
function  /(x),  subject  to  r constraints  g,(x)  > 
bt,  t=l,»  - - ,r  with  all  g(  convex,  is  always  a 
convex  piogramming  problem.  This  is  true  be- 
cause, from  theorem  l„each  of  the  sets 

R.  = {x|  gi(x)>bi}  (12-15) 

is  convex.  Th'e  constraint  set  R,  which  is  the 
intersection  of  all  the  sets  R,  is  also  convex  by 
convexity  theorem  2. 

Since  all  linear  functions  are  convex,  a lin- 
ear programming  problem  is  always  a convex 
programming  problem.  This  establishes  more 
firmly  the  geometrically  evident  fact  that  a 
linear  program  cannot  have  local  optima  dis- 
tinct from  the  global  optimum. 

Since  convex  programs  can  be  identified 
by  determining  whether  the  objective  and 
constraint  functions  of  the  problem  are  con- 
vex, it  is  important  to  characterize  convex 
functions  closely.  This  can  be  done  by  using 
convexity  theorems  3 through  6.  Statement  b 
in  theorem  3 says  that  the  function,  evaluated 
at  any  point  xl , never  lies  below  its  tangent 
plane  passed  through  any  other  point  x2 . 
Theorem  4 is  a direct  consequence  of  state- 
ment c in  theorem  3. 

Since  f(x+  as)  is  the  function  evaluated 
at  points  along  the  line  s passing  through  the 


point  x,  theorem  6 implies  that  a convex 
function  is  convex  along  any  line.  This  allows 
us  to  test  to  see  whether  a given  function  of  n 
variables  is  not  convex,  for  if  any  line  in 
n-dimensional  space  can  be  found  along  which 
g(a)  is  not  convex,  then  f{x)  is  not  convex 
either. 

12-3.3  MIXED  PROBLEMS 

ffeny  problems  involve  both  equality  and 
inequality  constraints.  In  such  problems,  it 
has  been  found  that  the  linear  function 
g(x)  = aT  x is  the  only  function  for  which  the 
set 

R={x|£(x)=0}  (12-13) 

is  convex. 

Nonlinear  functions  in  two  dimensions 
have  graphs  that  are  curved  surfaces.  If  xx  and 
x2  are  on  the  graph  and  are,  therefore,  in  the 
constraint  set  R,  then  points  on  the  line  seg- 
ment joinir^x1  and  x2  will,  in  general,  not  he 
on  the  graph  (will  not  be  in  R).  A hyperplane, 
being  “flat”,  is  an  obvious  exception. 

Consider  the  problem  of  minimizing  f(x) 
subject  to  the  constraints g,.(x)  > 0 ,i  = 1,*  • • ,r 
and  /i;(x)  =0,;'  = 1,- - s.  From  the  preceding 
statements,  this  may  not  be  a convex  pro- 
gramming problem  if  any  of  the  functions 
hs(x)  are  nonlinear.  This,  of  course,  does  not 
preclude  efficient  solution  of  such  problems, 
but  it  does  make  it  more  difficult  to  guaran- 
tee the  absence  of  local  optima. 

In  many  cases,  the  equality  constraints 
can  be  used  to  eliminate  some  of  the  vari- 
ables, leaving  a problem  with  only  inequality 
constraints  and  fewer  variables.  Even  if  the 
equalities  are  difficult  to  solve  analytically 
(for  example,  if  they  are  highly  nonlinear),  it 
may  still  be  worthwhile  to  solve  them  numeri- 
cally. Such  an  approach  has  been  used  suc- 
cessfully for  structural  design  (Refs.  1 3 and 
14). 

12-3.4  THE  KUHN-TUCKER  CONDITIONS 

The  most  important  theoretical  results  in 
the  field  of  nonlinear  programming  are  the 
conditions  of  Kuhn  and  Tucker,  which  must 
be  satisfied  at  any  constrained  optimum,  local 
or  global,  of  any  linear  and  of  most  nonlinear 
programming  problems  (Ref.  15).  These  con- 
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TABLE  12-2 

OPTIMIZING  CONSTRAINED  PROBLEMS 


Convexity  Theorems 

Theorem  1.  If  f(x)  is  convex, 
the  set 

R - (x  | f{x)  < k } 
is  convex  for  all  scalars  (k). 

Theorem  2.  The  intersection 
of  any  number  of  convex  sets  is 
convex. 

Theorem  3.  If  f{x)  has  con- 
tinuous first  and  second  derivatives, 
the  following  three  statements  are 
all  equivalent: 

a.  f(x)  is  convex;  _ 

b.  f(xx)  >f(x2)  + V f(x2). 
(xj_  _ x^)  for  any  two 
points  x1,x2; 

c.  the  matrix  "of  second  par- 
tial derivatives  of  f[x)  is 
positive  semidefinite  for  all 
points  x. 

Theorem  4.  A positive  semi- 
definite quadratic  form  is  convex. 

Theorem  5.  A positive  linear 
combination  of  convex  functions  is 
convex. 

Theorem  6.  A function  f(x ) is 
convex  if  and  only  if  the  one- 
dimensional  function  g{a)  " /(.?  + 
ys)  is  convex  for  all  fixed  x and  ?. 

Zoutcndijk's  Method  of  feasible 
Directions 

1.  Start  with  an  initial  point 
c0  which  satisfies  all  constraints. 
For  i - 0,  1, ...,  do  the  following 
steps. 

2.  At  the  current  point,  x-, 
determine  which  constraints  are 
binding  (or  alrcst  binding)  and 
form  the  set  I containing  their 
indices. 

3.  Choose  a set  c£  0,(0  < 8 < 
L)  used  to  steer  away  from  nonlin- 
sar  constraint  boundaries. 

4.  Compute  a new  usable 
’easible  direction,  ?,,  by  solv  ing  the 
hrection-finding  problem  of  mini- 
nizing  [ subject  to  the  conditions 


Vgfcw+dj^  o 
vrtxijr— S>o 

J'S  “ 1 

If  the  minimum  value  of  {■  > 0,  no 
such  direction  easts  and  the  com- 
putation is  terminated.  The  current 
point  is  generally  a local  constrain- 
ed minimum.  If  $ < 0 proceed  to 
step  5. 

5.  Compute  a step  length  a, 
by  minimizing  f(x(  + as()  subject  to 
the  condition  that  xt  + os)  violates 
no  constraints. 

6.  Using  aj(  compute  a succes- 
sor point  *,  j • X(  + ct(  Sj  and  re- 
turn to  step  $ with  i replaced  by  i + 

1. 

Rosen's  Gradient-Projection 
Method 

1.  Start  at  a point  Xq  that  sat- 
isfies the  constraints.  The  ith  itera- 
tion, i * 0,  1,  ...  proceeds  as  fol- 
lows: 

2.  Compute  7 f(x )•). 

3.  Determine  which  con- 
straints are  binding  at  x(  and  call 
these  the  constraints  associated 
with  x(, 

4.  Compute?;,  the  projection 
of  — 7 /(x,-),  on  the  intersection  of 
the  constraints  associated  with  the 
point  X;. 

5.  If  ?;  is  not  the  zero  vector, 
compute  a step  length  a,-  by  mini- 
mizing g(a)  = f(Xj  + as))  subject  to 
the  condition  that  x,  + os,  v iolates 
no  constraints.  This  determines  a 
new  point  xj+1  * xj-  + a,?;.  Return 
to  step  2 and  replace  i vv  ith  i + 1 . 

6.  If  ?,- is  zero,  then 

V f(xt)  - 2 UjSj 
i 

which  is  a linear  combination  of 
normals  5J-  to  the  binding  constraint 
planes. 

7.  If  all  Uj  > 0.  then  x)  is  the 
solution  of  the  problem,  for  the 
Kuhn-Tucker  conditions  are  satis- 
fied. 


8.  Otherwise,  define  a new  set 
of  planes  to  be  associated  with  x) 
by  deleting  from  the  present  set 
one  plane  for  which  ut  < 0,  and 
return  to  step  4. 

The  Fiacco-McCormick  Conditions 

1.  The  interior  of  the  con- 
straint set  'is  non-empty. 

2.  The  functions  f and  gf  are 
twice  continuously  differentiable. 

3.  The  set  of  points  in  the 
constraint  set  for  which  fix)  < Jc  is 
bounded  for  all  Jc  < °°. 

4.  The  function  f{x)  is  bound, 
ed  below  forx  in  the  constraint  set, 

• If  conditions  1 through  4 
hold,  at  least  one  finite  local  mini- 
mum of  P(x /)  [see  Eq  (24)]  exists 
within  the  constraint  set  for  any  / 
> 0.  Furthermore,  f is  monoto- 
nicallv  nonincreasing  as  r is  reduced 
(Ref.  25). 

5.  fix)  is  convex. 

6.  The  gi(x)  are  concave  func- 
tions. 

7.  P[x/)  is  strictly  convex  in 
the  interior  of  the  constraint  set  for 
any  r > 0. 

• If  conditions  5 though  7 
also  hold,  there  is  a convex  pro- 
gramming problem;  any  local  mini- 
mum is  global,  and  the  procedure 
converges  to  the  global  minimum  as 
r->  0. 

The  Fiacco-McCormick  Method 

1.  Start  with  x0,  which  must 
be  strictly  inside  the  constmint  set, 
and  r1  > 0.  Let  i * 1 , 2,  ... . 

2.  Minimize  P(x,  r;),  starting 
from  Xj.j,  and  subject  to  no  con- 
straints. 

3.  Reduce  r by  choosing  ri+1 
< rh  and  return  to  step  2 with  i 
replaced  by  i + 1. 

4.  Stop  if  the  change  in  the 
objective  function  fails  to  exceed  a 
specified  value  for  some  predeter- 
mined number  of  iterations. 
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ditions  form  the  basis  for  the  development  of 
many  computational  procedures,  hi  addition, 
the  criteria  for  stopping  many  procedures 
(i.e.,  for  recognizing  when  a local  constrained 
optimum  has  been  achieved)  are  derived  di- 
rectly from  these  conditions. 

The  concept  of  a cone  can  be  used  to  help 
visualize  the  Kuhn-Tucker  conditions.  A cone 
is  defined  as  a set  of  points  R such  that,  if  x is 
in  R,  Xx  is  also  in  R for  X > 0.  A convex  cone 
R has  the  additional  property  that  if  x and  y 
are  in  R,  x + y is  also  in  R.  The  set  of  all 
non-negative  linear  combinations  of  a finite 
set  of  vectors  forms  a convex  cone;  i.e.,  the 
set  R is  a convex  cone,  where 


R 


{x  | X = \1  x1  + * * * xm  > 
X,  > 0;  i=l, . . .,  m)  . 


(12-17) 


The  vectors  xx  ,x2  = ,xm  are  called  the  gener- 

ators of  the  cone.  For  example,  the  convex 
cone  of  Fig.  12-10  is  generated  by  the  vectors 
(2,1)  and  (2,4).  Any  vector  that  can  be  ex- 
pressed as  a non-negative  linear  combination 

of  these  vectors  lies  in  this  cone.  ^ Fig.  12-10 
the  vector  (4,5)  in  the  cone  is  given  by 


(4,5)  = 1 • (2,1)  + 1 • (2,4).  (12-18) 


The  Kuhn-Tucker  conditions  are  predi- 
cated on  the  fact  that  at  any  constrained  opti- 


The  shaded  area  represents  a cone  generated 
by  vectors  (2,1 ) and  (2,4). 

FIGURE  12-10.  Convex  Cone 


mum,  no  small,  allowable  change  in  the  prob- 
lem variables  can  improve  the  objective  func- 
tion. To  illustrate  this,  consider  the  nonlinear 
programming  problem  shown  in  Fig.  12-1 1 . It 
is  evident  that  the  optimum  is  at  the  intersec- 
tion cf  the  two  constraints.  At  (1,1)  in  Fig. 
12-11  the  set  of  all  feasible  directions  lies 
between  the  line  — x — y + 2=  0 and  the  tan- 
gent line  y = 2x  — 1.  In  other  words,  this  set 
is  the  cone  generated  by  these  two  lines.  The 
vector  —7 f points  in  the  direction  of  the 
maximum  rate  of  decrease  of  the  objective 
function  f{x,y).  A move  along  any  direction 
making  an  angle  of  less  than  90  deg  with  —7  f 
will  decrease  f(xty).  Thus,  at  the  optimum, 
there  can  be  no  feasible  direction  with  an 
angle  of  less  than  90  deg  between  it  and  -V  A 

The  negative  gradients  — y srx  and  — V g2 
are  also  shown  in  Fig.  12-11;  and  — 7 f is  con- 
tained in  the  cone  generated  by  these  negative 
gradients.  If  — 7 f were  not  contained  in  the 
cone,  but  slightly  above  —V  £2’  ^ would 
make  an  angle  of  less  than  90  deg  with  a feasi- 
ble direction  just  below  the  line  —x  — y + 2 = 
0.  Similarly,  if  -7  f were  slightly  below  -7 
gx  , it  would  make  an  angle  of  less  than  90  deg 
with  a feasible  direction  just  above  the  line.v 
= 2x  — 1.  Neither  c£  these  cases  can  occur  at 
an  optimum  point,  and  both  cases  are  ex- 
cluded if  and  only  if  — 7 flies  within  the  cone 
generated  by  — 7 g1  and  —lg2.  This  is  the 
.ecmetric  statement  of  the  Kuhn-Tucker  con- 
ditions; a necessary  condition  for  x to  mini- 
mize f(x),  subject  to  the  constraints £,(x)  > 0 
where  i=l, •••,/•.  is  that  the  gradient  7 f lie 
within  the  cone  generated  by  the  gradients  of 
the  binding  constraints. 

In  an  algebraic  statement  of  the  Kuhn- 
Tucker  conditions,  since  7 f lies  within  the 
cone  described,  it  must  be  a nonnegative  line- 
ar combination  of  the  gradients  of  the  binding 
constraints.  In  other  words,  there  must  exist 
numbers  u; > 0 such  that 

7«x*>-  t “,m^)  ,12.19) 

i=  1 


where  the  binding  constraints  are  assumed  to 
be  gf,"’  gpAp  < c).  This  relationship  can  be 
extended  to  include  all  constraints  by  defin- 
ing the  coefficient  ui  to  be  zero  if  g,(x*)  > 0. 
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The  objective  function  is  shown  by  concentric 
circles,  and'  the  constrained  minimum  is  clearly  at 
the  point  (1,1).  All  feasible  directions  at  this  point 
are  obtained  in  the  cone  generated  by  the  gradients 
- V<?i  and  - V<72,  which  are  normal  to  the  con- 
straint boundaries. 

FIGURE  12-1 1.  Nonlinear  Program  Illustrating  the  Use  of  a Cone* 
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If  this  is  done,  the  product  u^Ix*)  is  zero  for 
all  i Eq.  12-19  is  the  form  in  which  the 
Kuhn-Tucker  conditions  usually  are  stated. 

If  a minimization  problem  with  inequality 
constraints  is  a convex  programming  problem 
whose  constraint  set  has  a nonempty  interior, 
the  Kuhn-Tucker  conditions  are  both  neces- 
sary and  sufficient  for  a point  x to  be  a con- 
strained minimum  (Ref.  15). 

Most  existing  nonlinear  programming 
methods  can  be  classified  either  as  methods  of 
feasible  direction  (such  as  Zoutendijk's  proce- 
dure and  Rosen's  gradient  projection  method) 
or  as  penalty  function  techniques  (such  as  the 
Fiacco-McCormick  method). 

12-3.5  METHODS  OF  FEASIBLE  DIREC- 
TIONS- 

Methods  of  feasible  directions  use  the 
same  general  approach  as  the  techniques  of 
unconstrained  minimization,  but  they  are 
constructed  to  deal  with  inequality  con- 
straints. The  idea  is  to  pick  a starting  point 
that  satisfies  the  constraints,  and  then  to  find 
a direction  along  which  a small  r ove  violates 
no  constraint  and,  at  the  same  time,  improves 
the  objective  function.  We  then  move  some 
distance  in  the  selected  direction,  obtaining  a 
new  and  better  point,  and  repeat  the  proce- 
dure until  we  reach  a point  from  which  the 
objective  function  cannot  be  improved  with- 
out violating  at  least  one  constraint.  In  gener- 
al, such  a point  is  a constrained  local  mini- 
mum of  the  problem,  not  necessarily  a global 
minimum  for  the  entire  region  of  interest. 

A direction  along  which  a small  move  can 
be  made  without  violating  any  constraints  is 
called  a feasible  direction,  while  a direction 
which  is  feasible  and  at  the  same  time  im- 
proves the  objective  function  is  called  a usa- 
ble, feasible  direction.  Since  there  are  many 
ways  of  choosing  such  directions,  there  are 
many  different  methods-of-feasible-directions. 

An  iterative  procedure  of  this  type  is  illus- 
trated in  Fig.  12-12.  The  starting  point  is  x0, 
and  the  usable,  feasible  direction  chosen  is 

Sq  = Vflx0)  ■ (12-20) 

The  procedure  is  to  choose  the  distance 
moved  along  $0  so  as  to  minimize  f,  and  the 
first  improved  point  is  x1 . Here,  a problem 


arises:  proceeding  in  the  negative  gradient  di- 
rection at  xx  would  violate  the  constraints. 
There  are  many  feasible  directions  in  which 
we  could  move  from  x1 ; any  direction  point- 
ing into  the  constraint  set  or  along  a con- 
straint boundary  would  do.  The  "best"  direc- 
tion we  can  choose,  however,  is  that  feasible 
direction  along  which  f{x1 ) decreases  most 
rapidly,  i.e.,  along  which  — sx  7/Ix-j ) is  mini- 
mized. This  is  the  feasible  direction  that 
makes  the  smallest  angle  with  — 7 f(x1 ),  and 
is  ‘the  projection  of  — 7 f(x1)  on  the  con- 
straint boundary. 

The  farthest  we  can  move  along  sx  with- 
out crossing  the  constraint  boundary  is  to  the 
point  x2 . Repeating  the  smallest  angle  proce- 
dure leads  us  to  x3  with  negative  gradient 

— V /(x3 ).  At  this  point  there  is  no  usable  fea- 
sible direction,  since  no  feasible  direction  at 
x3  makes  an  angle  of  less  than  90  deg  with 

— V f(x 3).  In  this  case,  x3  happens  to  be  at 
the  global  minimum  of  f(x)  over  the  con- 
straint set. 

The  global  minimum  is  not,  however,  al- 
ways reached  by  this  procedure.  In  this  exam- 
ple, the  same  procedure,  starting  with  y0  in 
Fig.  12-12,  leads  to  a local  minimum  at  the 
point  a,  which  is  distinct  from  the  global  min- 
imum at  x3 . This  example  illustrates  the  diffi- 
culties such  procedure  may  encounter  with 
local  optima.  These  difficulties  are  common 
to  all  methods,  and  one  can  be  sure  of  avoid- 
ing them  only  for  a convex  programming 
problem. 

12-3.5.1  Zoutendijk's  Procedure 


Consider  the  problem  of  minimizing  f(  x ) , 
subject  to  the  inequality  constraints  g,(x)  > 0; 
i=l,'  • • ,znJf  a starting  point  x0  that  satisfies 
the  constraints  is  assumed,  the  problem  is  to 
choose  a vector  s which  is  both  usable  and 
feasible.  Let  I be  a set  of  indices  i,  for  which 
£f(x0)  = 0.  For  all  feasible  vectors  s,  a small 
move  along  the  vector  from  x0  makes  no 
binding  constraint  negative;  i.e.,  for  all  i in  the 
set  I , 


d 

— [gt  (x0  + as)] 


a = 0 


= 7gf(x0)s  > 0 

(12-21) 


where  cy  is  the  scalar  parameter  that  deter- 
mines how  far  along  s one  might  go.  A usable. 
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The  starting  point  is  x0  on  the  lower  left.  The  desired  global  minimim  is  at  x3 1 


FIGURE  12-12.  Constrained  Minimization  With  Usable, 
Feasible  Directions 4 


feasible  vector  has  the  additional  property 
that 

— [Ax0  + as)J  = 7fT{x0)s  < 0 

da  a = 0 (12-22) 

Therefore,  the  function  initially  decreases 
along  such  a vector. 

In  searching  for  a “best”  vector  s along 
which  to  move,  we  could  choose  the  feasible 
vector  that  minimizes  V f1" (x0)s.  However,  if 
some  of  the  binding  constraints  were  nonline- 
ar, this  could  lead  to  the  difficulty  shown  in 
Fig.  12-13.  Here,  the  feasible  direction  s0  that 
minimizes  V/T(x0)s  is  .the  projection  of 

— 7f(x0)  on  the  tangent  plane  through  the 
starting  point  x0.  Since  the  constraint  surface 
is  curved,  movement  along  s0  for  any  finite 
distance  violates  the  constraint.  Thus,  a recov- 


ery move  must  be  made  to  come  back  inside 
the  constraint  set.  Repetitions  of  this  proce- 
dure lead  to  inefficient  zigzagging.  Therefore, 
to  avoid  zig-zagging,  it  is  wise  to  choose  a 
locally  “best”  direction  that  moves  away 
from  the  boundaries  of  the  nonlinear  con- 
straints as  it  decreases  the  objective  function. 

An  algorithm  using  Zoutendijk’s  direction 
finding  procedure  is  given  in  Table  12-2.  Step 
5 is  almost  the  same  as  in  the  unconstrained 
case.  It  is  still  desirable  to  minimize  the  objec- 
tive function  along  the  vector  s,  but  now  no 
constraint  may  be  violated.  The  cubic  or 
quadratic  interpolation  procedures  of  Table 
12-1,  modified  to  account  for  constraints, 
may  be  used  to  compute  ar  For  convex  pro- 
grams, Zoutendijk’s  method  converges  to  the 
global  minimum  (Ref.  12). 
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The  zig-zag  motion  shown  here  is  time-consuqing 
and  can  be  avoided  by  using  Zoutendijk’s  minimi- 
zation procedure. 

FIGURE  12-13.  An  Inefficient  Search  Procedure4 


12-3.5.2  Rosen‘s  Gradient  Projection  Method 

At  each  iteration  of  Zoutendijk’s  proce- 
dure, an  optimization  problem  must  be  solved 
to  find  a direction  in  which  to  move.  Al- 
though this  direction  is  in  some  sense  “best”, 
the  procedure  can  be  time-consuming.  An  al- 
ternative is  provided  by  Rosen’s  gradient  pro- 
jection method,  where  a usable,  feasible  direc- 
tion is  found  without  solving  an  optimization 
problem  (Ref.  16).  This  direction,  however, 
may  not  be  locally  “best”  in  any  sense. 
Rosen’s  method,  probably  most  efficient 
when  all  constraints  are  linear,  uses  the 
Kuhn-Tucker  conditions  both  to  generate  new 
directions  and  as  a stop  criterion. 

12-3.6  PENALTY  FUNCTION  TECH- 
NIQUES 

12-3.6.1  General 

Since  powerful  methods  are  available  for 
unconstrained  minimization,  it  would  seem 
convenient  to  solve  constrained  problems 
using  unconstrained  methods.  This  is  exactly 
what  a “penalty  function ’’allows  us  to  do. 

Instead  of  dealing  with  the  constraints 
directly,  penalty  function  techniques  find  the 
unconstrained  minimum  of  the  function 

m 

1 J»(x)«/'(X)+  1 0[£,(x)]  (12-23) 

i=  1 

where  </>[•]  is  the  penalty  function,  yet  to  be 
determined.  For  example,  suppose  that  the 
penalty  function  is  <P0  (y),  where  <t>0  (y)-  0 for 


y > 0,  and  <?(y)  -*  00  for  y < 0.  If  all  con- 
straints g;(x)  > 0 in  Eq.  12-23  are  satisfied, 
the  summation  term  contributes  nothing  and 
minimizing  0 is  equivalent  to  minimizing  f.  If 
any  gt  is  less  than  zero,  0o(g,)  -*■  00  which  is 
certainly  not  anywhere  near  the  minimum  of 
0(x);  thus,  the  summation  term  “penalizes” 
any  violation  of  the  constraints.  Any  proce- 
dure which  minimizes  0 will  never  select  a 
point  outside  the  constraint  set  and  will,  in 
fact,  select  that  point  of  the  constraint  set 
that  minimizes  f(x). 

Unfortunately,  there  are  certain  difficul- 
ties that  must  be  overcome  in  order  to  use 
this  powerful  technique.  To  illustrate  them, 
consider  the  problem  of  minimizing 
x 2 +.rj  subject  to  the  constraint  xa  > 3; 
x=(xa,xb).  We  know  in  advance  that  the 
solution  to  this  problem  is  xa  = 3,xb  = 0.  For 
this  example, 

*(x)  =xa  +xl  + -3) 

(12-24) 

Contours  of  0 in  the  feasible  region  (to  the 
right  of  the  linexa  = 3)  are  circles  with  center 
at  the  origin,  and  the  penalty  term  0o(xa  — 3) 
has  no  effect.  Just  to  the  left  of  (xa  — 3),  0 
becomes  unbounded,  so  that  as  soon  as  we 
move  to  the  left  from  xa  =3,  we  immediately 
cross  all  the  contours  of  constant  value.  A 
gradient  minimization  procedure  starting  at 
Xq  would  move  to  the  boundary  at  Xj  and 
could  proceed  no  further.  In  fact,  since  the 
function  0 is  discontinuous  and  has  no  deriva- 
tive along  xa  = 3,  minimization  is  almost 
hopeless. 

These  difficulties  may  be  relieved  by  de- 
fining other,  less  “harsh”  penalty  functions. 
For  example,  the  function  <px(y),  where 
0x(y)  = O for  y>0  and  <Pl{y)  - ky2  for 
y < 0,  is  continuous  and  has  continuous  first 
derivatives  for  all  values  of  y,  (k  > 0).  If  <f>1  is 
used,  the  penalty  for  constraint  violations  is 
no  longer  infinite  and  some  violations  are  pos- 
sible. 

Consider  applying  this  new  penalty  func- 
tion to  the  previous  problem  by  minimizing 

0(X)  =X2  + X2b  -r  01(XO  - 3). 

(12-25) 
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The  contours  of  this  function  to  the  right  of 
xa  = 3 are  circular  but  to  the  left  they  are 
elongated  ellipses,  showing  the  same  bunching 
effect  as  before.  This  effect  gets  worse  as  k 
increases. 

A gradual  approach  is  more  practical. 
Rather  than  solve  only  one  unconstrained 
problem,  we  solve  3 sequence  of  such  prob- 
lems, each  one  bringing  us  closer  to  the  final 
solution.  F or  example,  we  can  solve  the  prob- 
lem with  a small  value  of  k.  Then,  using  that 
solution  as  3 starting  point,  choose  a larger 
value  of  k and  re-solve  the  problem.  Repeat 
the  procedure  several  times..  In  general,  the 
sequence  of  unconstrained  minima  ap- 
proaches the  solution  of  the  original  con- 
strained problem. 

When  the  penalty  function  dx  is  used, 
intermediate  solutions  usually  violate  the  con- 
straints. Thus,  the  method  approaches  the 
constrained  minimum  firm  outside  the  con- 
straint set.  In  many  cases,  this  may  be  unsatis- 
factory. If  small  violations  of  the  constraints 
are  not  permitted,  intermediate  solutions 
often  cannot  be  used.  The  method  is  ineffi- 
cient if  the  objective  or  constraint  functions 
are  ill-behaved  exterior  to  the  constraint  set. 
Moreover,  the  approach  cannot  be  used  at  all 
when  any  of  these  functions  is  not  defined 
outside  of  the  constraint  set. 


12-3.6.2  The  Fiacco-McCormick  Method 


The  Fiacco-McCormick  method  avoids  the 
difficulties  we  just  described  by  approaching 
the  optimum  from  inside  the  constraint  set 
(Refs.  17  and  18).  To  use  this  method,  we 
first  define  the  function 


*(x,  r)  =f(x)  + r 


(12-26) 


ing  point  depends,  of  course,  on  the  choice  of 
rx  , and  is  denoted  by  xfrx ).  By  this  reasoning, 
x(rx ) will  always  be  inside  the  constraint  set. 

If  this  minimization  process  is  repeated 
for  a sequence  of  values  r1  > r2  > • • • rk  > 0, 
each  minimizing  point  x ( r . ) also  will  be  strict- 
ly inside  the  constraint  set.  Furthermore,  as 
the  value  of  r is  reduced,  the  influence  of  the 
term  which  “penalizes”  closeness  to  the  con- 
straint boundaries  (the  last  term  in  Eq.  12-26) 
also  is  reduced  and,  in  minimizing  'F  (x,r), 
more  effort  is  concentrated  on  reducing  the 
f(x)  term.  Thus,  the  sequence  of  points 
x(rx  ),x(r2  ),•  • • can  come  as  close  as  necessary 
to  the  boundary  of  the  constraint  set.  We 
would  expect  that  as  r approaches  zero,  the 
minimizing  point  x(r)  approaches  the  solution 
of  the  original  problem  of  minimizing  f(x) 
subject  to  the  constraints  g,  > 0. 

This  method  is  particularly  attractive  in 
dealing  with  problems  that  have  markedly 
nonlinear  constraints,  since  it  approaches  the 
solution  value  fran  inside  the  constraint  set. 
Motion  along  the  boundaries  of  this  set, 
which  can  be  very  cumbersome  when  the 
boundaries  have  large  curvature,  is  completely 
avoided. 

Fiacco  and  McCormick  have  shown  that 
all  the  previous  conjectures  are  true  under  cer- 
tain conditions  (see  Table  12-2).  Condition  7 
is  not  implied  by  conditions  5 and  6,  but  only 
small  additional  requirements  on  f and  gt  are 
needed  for  it  to  hold  (Ref.  1 6). 

The  Fiacco-McCormick  procedure  is  given 
in  Table  12-2.  Step  2 may  be  accomplished  by 
any  of  the  unconstrained  minimization  proce- 
dures in  this  paragraph.  In  Step  3,  r ought  to 
be  reduced  by  dividing  each  time  by  the  same 
factor. 

12-4  DYNAMIC  PROGRAMMING 


where  r > 0.  Let  rx  -*  0 and  choose  x0  inside 
the  constraint  set.  In  the  problem  of  minimiz- 
ing 'F(x,r1 ) starting  from  x0  and  subject  to  no 
constraints,  a minimum  must  exist  inside  the 
constraint  set,  since  'F  (x,rx ) on  the 
boundary  of  this  set  (because  some  g,(x)  = 0). 
Thus,  the  path  of  steepest  descent  leading 
from  the  point  x0  (a  path  on  which  'Flx,r1 ) is 
strictly  decreasing)  cannot  penetrate  the 
boundary  of  the  constraint  set.  The  minimiz- 


Dynamic programming  is  a general  ap- 
proach for  solving  a sequential  decision  proc- 
ess. Optimization  is  merely  one  kind  of  se- 
quential decision  process.  This  topic  is  not 
grasped  easily  from  a short  exposition,  nor  is 
it  often  practical  for  reliability  problems, 
except  when  the  problems  can  as  easily  be 
solved  another  way.  Therefore,  several  refer- 
ences (Refs.  19-22,  34)  are  given  for  further 
study,  should  the  need  arise. 
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Dynamic  programming  suffers  from  a 
major  drawback-dimensionality.  Problems 
with  two  or  three  state  variables  may  be 
solved  with  increasing  difficulty,  and  solution 
with  more  than  three  state  variables  is  very 
difficult.  This  is  because  the  functions  ft(h), 
where  h is  the  state  vector  of  dimension  k, 
must  be  tabulated  over  a kdimensional  grid. 
If  each  dimension  has  10  subdivisions,  this 
requires  the  storage  of  10*  numbers,  which 
generally  exceeds  the  fast  memory  space  of 
most  computers  for  k > 4.  Any  increase  in  k 
is  then  quite  difficult  and  can  be  accomplish- 
ed only  by  trading  memory  space  for  compu- 
tation time. 

12-5  LUUS-JAAKOLA  METHOD 

Luus  and  Jaakola  developed  a very  simple 
method  for  optimization  by  direct-search  and 
interval-reduction,  Refs.  35  and  36.  It  is  ex- 
tremely simple  to  program,  evaluates  no  deriv- 
atives, does  not  invert  any  matrices  and  can 
handle  inequality  constraints.  Equality  con- 
straints are  presumed  to  have  been  eliminated 
by  usual  methods. 

For  integer  problems,  e.g.,  parallel  redun- 
dancy, Luus  has  extended  the  method,  again 
in  a very  simple  way  (both  programming  and 
conceptually),  see  Ref.  36.  Especially  for  the 
novice,  but  even  for  the  high-powered  theo- 
rists, this  method  has  a great  deal  of  appeal 
and  utility.  Ref.  36  is  reproduced  as  Ap- 
pendix A. 

12-6  APPLICATIONS 

It  is  difficult  to  find  good  nontrivial  appli- 
cations of  complicated  reliability  optimiza- 
tion in  the  literature.  Generally,  in  the  litera- 
ture, the  analyst  has  to  make  too  many  unre- 
alistic assumptions,  or  picks  a problem  no  one 
in  practice  is  really  going  to  care  about.  For 
example,  cost  and  weight  are  usually  major 
real  constraints;  but  there  is  not  a continuum 
of  equipments  available  with  reliability  tabu- 
lated as  functions  of  cost  and  weight.  Solving 
for  optimum  parallel  redundancy  in  the  pres- 
ence of  constraints  is  another  favorite  prob- 
lem. But  rarely  are  there  more  than  a few 
redundant  units;  so  the  calculations  could 
easily  be  carried  out  for  all  feasible  combina- 
tions. 


One  ought  to  be  concerned  with  the  re- 
gion around  the  optimum  point.  If  it  is  very 
flat,  then  it  makes  little  difference  where,  in 
the  flat  region,  one  chooses  a solution.  There 
are  usually  many  important  variables,  mostly 
qualitative,  that  are  left  out  of  the  formal 
analysis.  These  may  well  determine  where  in 
the  flat  region  one  chooses  the  solution. 

If  there  are  a great  many  independent 
variables,  it  is  difficult  to  visualize  the 
“space”  in  which  the  problem  is  to  be  solved. 
The  ramifications  of  assumptions  and  solu- 
tions are  difficult  to  grasp.  Therefore,  most 
big  problems  ought  to  be  reduced  to  a series 
of  little  ones  whose  meaning  can  be  compre- 
hended. If  necessary,  one  can  go  back  after 
the  first  trial  solutions  and  modify  the  way 
the  little  problems  were  formulated. 

Perhaps  the  biggest  difficulty  of  all  with 
optimizing  a very  large  problem  is  that  when 
it  is  finished,  people  tend  to  be  extremely 
pleased  and  impressed.  They  tend  to  believe 
that  they  now  know  the  answer  to  some  real- 
world  problem.  But  they  don’t.  What  they  do 
know  is  the  answer  tc  a mathematical  prob- 
lem which  contains  gross  approximations  (to 
be  tractable)  and  which  was  solved  with 
guessed-at  data.  Since  “no  one”  can  under- 
stand the  whole  problem  at  once,  there  is  a 
tendency  to  grasp  the  computerized  solution 
like  a drowning  man  grasping  at  straws. 

Obviously,  some  very  complicated  prob- 
lems have  been  solved  by  optimization  tech- 
niques. These  tend  to  be  problems  where 
plant  process  operation  is  quite  well  known, 
but  where  the  magnitude  of  the  calculation  is 
just  too  much.  The  models  themselves  tend  to 
be  rather  simple  in  concept;  their  complexity 
comes  from  their  scope. 

Some  journal  articles  which  apply  optimi- 
zation techniques  are  Refs.  22-33;  Ref.  33  is  a 
relatively  new  approach.  Anyone  who  wishes 
to  apply  optimization  techniques  to  compli- 
cated reliability  engineering  problems  ought 
to  find  professional  assistance  from  people 
who  are  skilled  in  using  the  available  comput- 
er programs.  To  begin  from  scratch  is  usually 
to  waste  inordinate  amounts  of  time  and 
money,  except  that  the  Luus-Jaakola  method 
(par.  12-5)  can  be  used  by  almost  anyone— 
conceptually  and  practically  it’s  so  simple. 
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APPENDIX  A" 


Optimization  of  System  Reliability  by  a New  Nonlinear  Integer 

Programming  Procedure36 


/4£jrroc/-Thii  paper  presents  a useful  procedure  of  solving  nonlinear 
integer  programming  problems.  It  finds,  first,  a pseudosolufion  to  the 
problem,  as  if  the  variables  veto  con  hnuous.  Then  it  uses  direct  search 
in  the  neighbourhood  of  the  pseudo**>lution  to  find  the  optimum.  The 
effectiveness  of  the  method  is  shown  with  a 15-vanablc  problem,  w hich 
requires  about  I day's  FORTRAN  projjamming  effort  and  8 seconds 
of  eomputer  time  for  its  solution  on  an  IBM  370/ 165  digital  eomputcr. 

Reader  Aids: 

Purpose:  Widen  state-of  the  art 

Special  math  needed  for  explanations:  None 

Special  math  needed  for  results:  None 

Results  useful  to:  Etesigiand  reliability  engineers,  programmers. 


INTRODUCTION 

INCREASING  reliability  by  the  introduction  of  redundancy 
is  well  known.  However,  the  problem  of  how  to  optimize 
the  reliability  through  the  selection  of  redundancy  has  not  yet 
been  adequately  solved.  Tillman  and  Liittschwager  l1 1 ‘’re- 
sented an  integer  programming  formulation  for  the  solution 
of  reliability  problems.  The  method  requires  transformation 
of  the  objective  function  and  imioduction  of  auxiliary  variables. 
Misra  (2|  discusses  the  overall  applicability  of  integer  program- 
ing approach  to  solving  reliability  problems;  later  Misra  ( 3 i in- 
troduces the  use  of  Lagrange  multipliers  and  the  Maximum 
principle  lo  soive  reliability  optimization  problems.  Sharma 
and  Venkateswaran  (4|  presented  a simpler  method  with  no 
assurance  of  obtaining  the  true  optimum.  Bancijee  and 
Rajamani  (5j  use  the  Lagrange  multiplier  approach  to  solve 
the  reliability  problem  to  yield  optiinum  a-  near  optimum 
results.  Misra  and  Sharma  [6|  classified  the  methods  into  two 
groups,  one  which  includes  methods  which  require  stmple  form- 
ulation and  yield  approximate  results  and  the  other  which 
includes  methods  which  are  complicated  but  yield  an  exact  in- 
teger solution  to  the  problem.  These  authors  then  provide  a 
geometric  programming  formulation  for  the  reliability  problem 
which  gives  an  approximate  answer. 

The  purpose  of  this  paper  is  to  present  a method  which  is 
easy  to  formulate  and  which  gives  an  optimum  for  the  reli- 
ability optimization  problem.  Although  there  is  no  assurance 
of  obtaining  the  global  optimum,  in  practical  problems  the 
method  will  come  very  close  to  finding  the  global  optimum. 

PROBLEM  FORMULATION 
Maximize  a nonlinear  function  of  n variables  denoted  by 

JU  ,.*2 xn) 


subject  to  the  constraints 

*1 xn)<bri  = 1.2 m (1) 

xf  i = 1 . 2 ..  n must  be  positive  integers  (2) 

The  constraint  functions  g,  need  not  be  linear  and  the  number 
of  inequality  constraints  m need  not  be  less  than  n.  A proce- 
dure involving  three  steps  is  proposed. 

SOLUTION  TO  THEGENERAL  PROBLEM 
Step  I:  Solatioa  to  the  Pseudo-Problem 

Relax  the  condition  of  requiring  each  xf  to  be  integer  and 
solve  the  maximization  problem  as  if  the  variables  were  con- 
tinuous. Only  an  approximate  solution  is  necessary  to  this 

pseudo-problem. 

Step  2:  Filling  trt  the  slack  by  steepest  ascent 

Take  the  values  of  x,  obtained  in  Step  I and  convert  them 
to  integers  by  truncation  (toward  zero)  so  that  the  inequality 
constraints  (1 ) arc  satisfied. 

There  may  now  be  adequate  slack  in  ( 1 ) to  allow  an  increase 
in  at  least  one  of  the  x,  Therefore,  attempt  to  increment  each 

by  1 . check  to  see  if  ( I ) is  satisfied,  and  incremeiit  only  the 
Xf  which  gives  the  greatest  contribution  to  the  maximization  of 
f Continue  this  filling  of  slack  until  no  x,  can  be  incremented 
without  violating  at  least  one  of  the  constraints. 

Step  3:  Systematic  exchange  of  variables 

Carry  out  n(n  - I ) tests  whereby  one  variable  is  incremented 
by  I and  the  others  arc  decremented  by  I in  turn.  For  example, 
suppose*,  is  incremented  to  * | + I.  Now  decrement  x2  to 
*j  - I and  check  whether  inequalities  arc  satisfied  If  so,  then 
calculate  the  corresponding  value  of  / and  compare  that  value  to 
the  maximum  / In  Step  2.  If  the  most  recently  calculated /is 
greater,  then  retain  in  the  memory  the  fact  that  jc  i incremented 
by  I aitdxj  decremented  by  1 gives  a better  value.  However, 
before  making  a change  in  this  variable,  continue  through  the 
entire  cycle  up  to  xn.  Then  choose  the  set  x,  whtch  has  given 
the  greatest  value  for / Perform  the  cycle  by  incrementing *2 
and  continue  with  x3.  *. , etc.  up  to  xn.  In  total,  there  arc 
thus  a maximum  of  n(n  - I ) tests  to  be  done.  The  set  giving 
the  largest  value  of  /is  retained  as  the  optimum. 
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TABLE  1 


Reliability,  Cent  tod  Weitht  Fictots  for  Exunpie  1 


State  number 

Reliability 

Cost 

Weitht 

Allocation  (jr<) 

1 

n 

C# 

Wi 

Step  1 

Step  3 

1 

0.8D 

12 

30 

53 

6 

2 

0 .10 

22 

10 

6.3 

6 

3 

0.75 

a4 

10 

5.3 

5 

4 

0.85 

4.5 

10 

3.8 

4 

system  reliability 

0.9979 

0.9977 

Systsn  cost  (56  m u ) 

56.0 

56.0 

System  weitht  (30  m u ) 

2D.7 

21.0 

TABLE  2 

Reliability,  Cost  and  Weight  Factors  for  Example  2 

SUfe  Number 

/ 

Reliability 

n 

Coat 

Crf 

Weight 

"f 

Allocation  (x/t 

Step  1 step3 

i 

0.90 

5 

8 

29 

3 

2 

0.75 

4 

9 

4.2 

4 

3 

0.65 

9 

6 

4.9 

5 

4 

0.80 

7 

7 

3.7 

3 

5 

0.85 

7 

8 

3.0 

3 

6 

0.93 

5 

8 

23 

2 

1 

0.78 

6 

9 

3.4 

4 

a 

0.66 

9 

6 

50 

5 

9 

0.78 

4 

7 

4.0 

4 

10 

091 

5 

8 

2.7 

3 

33 

0.79 

6 

9 

3.5 

3 

32 

0.77 

7 

7 

3.7 

4 

33 

0.67 

9 

6 

5.1 

5 

14 

0.79 

8 

5 

4.3 

5 

15 

0.67 

6 

7 

5.0 

5 

System  reliability 

0.952 

0.945 

System  cost  (400  max) 

386.0 

389.0 

System  weitht  (414  max) 

413.7 

414.0 

EXAMPLES 

Since  there  is  no  assurance  that  the  global  optimum  is 
reached,  it  is  instructive  to  test  this  method  by  applying  it  to 
a class  of  reliability  problems  which  hive  been  handled  by 
other  methods. 

Example  1 

The  reliability  problem  (6]  maximizes  the  reliability  func- 
tion 

/»n  (3) 

subject  fothe  constraints 

Vi  < 56  <«) 

i,Vr<30  (5) 

There  are  4 stagesandthe  reliability  , cost,  and  weight  factors 
are  given  In  Table  1. 


For  Step  1 , it  is  easiest  to  use  the  optimization  method  of 
Luus  and  Juitola  [7] ; see  the  Appendix  for  the  simple  algori- 
thm. The  initial  value  for  each  xr  i ■ 1,2, ....  4 was  choaen  as 
2.0,  the  initial  region  for  the  random  numbers  at  5.0,  the  re- 
duction factor  for  the  regions  after  each  iteration  was  chosen 
to  be  0.02,  and  1 00  iterations  were  specified.  The  algrrittm 
for  step  1 is  given  m the  Appendix. 

At  the  end  of  Step  1 the  results  are  as  shown  in  Table  1 . 
These  values  ofx,  were  then  truncated  and  Steps  2 and  3 were 

performed  to  yield  the  results  shown  in,Jlb*e  * "The  answer  is 
better  than  that  obtained  by  IVlisra  and  Shir  ms  [6| . 

The  total  computation  time  by  the  3 -ste p procedure  wu  3 
seconds  on  IEM  370/165  digital  computer,  during  which  the 
reliability  function  was  evaluated  5384  timer. 

Example  2 

Toprovide  a more  rigorous  test  ofthe  proposed  procedure, 
consider  a 1 5 stage  reliability  problem  where  the  constraints 
of  (4)  and  (5)  are  400  and  414  respectively;  the  reliability  cost 
and  weight  factors  are  in  Table  2. 
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Exactly  the  same  computational  procedure  as  in  Example  I 
+xs  used.  The  results  after  Steps  1 and  3 are  given  in  Table  2. 
The  total  number  of  function  eval nations  was  5362  arid  the 
computation  lime  was  7.8  seconds. 

DISCUSSION 

The  negligible  computation  time  for  the  15  stage  reliability 
problem  shows  that  the  proposed  method  is  very  useful  for 
solving  reliability  problems  w here  discrete  units  are  specified. 
To  emphasize  that  the  recommended  procedure  does  not  in- 
volve  exhaustive  enumeration  requires  only  a very  simple  calcu- 
lation. Suppose  we  look  at  the  possibility  of  having  either  1 , 2. 
3.4  or  5 units  at  each  of  the  15stages.  To  evaluate  all  possibili- 
ties would  require  51!  = 3 X 10‘°  calculations,  w hich  is  an 
immense,  completely  impractical  number. 
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APPENDIX 

Algorithm  for  Direct  Random  Search  and  Interval  Reduction 
[Equality  constraints  are  presumed  to  have  been  eliminated! 

m 

Notation: 

x the  set  ofx,  which  are  the  unknowns 

x»0)  the  center  value  of  x at  iteration  / which  corresponds  to 

the  best  value  of  x at  iteration/  — 1 . 
r^  Die  set  of  rt  which  are  the  ranges  for  direct  search  at 
iteration /;  the  direct  search  for  x,  is  over  the  range. 

- 0.5  r(w  + 0.5  r^> 

y a pseudo  random  number  uniform  over  the  range  -0.5 
to  0.5 

n total  number  of  iterations,  e.g,  rr  = 100 
p number  of  random  trials  for  each  iteration,  e.g.  p = 100 
e the  small  number  by  which  the  range  is  reduced  for  each 
iteration,  e.g,  e = 0.02 

Algorithm: 

0 . Choose  initial  v alues  x’O)  and  rO>.  set  / = I . 

1.  Calculate  p sets  + y rfD-.y  is  a new  pseudo 

random  number  for  each  calculation. 

2.  Test  the  inequality  constraints,  retain  only  those  x(D  that 
satisfy  the  constraints.  Culculcte  the  objective  fancimi  for 
each  retained  jO) 

3.  Find  the  x<D  which  maximizes  the  objective  function.  Call 
it  the  center  value  for  next  iteration  If  the  maximum 
number  of  iterations  is  reached,  slop. 

4.  Calculate  rV* 1 )=(  I — e)rO)  Increment  / and  go  to  Step  I 
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CHAPTER  13  COMPUTER  PROGRAMS 


13-1  INTRODUCTION 

Modem  computers  are  powerful  tools  that 
can  be  used  by  the  engineer  to  compute  the 
reliability  characteristics  of  complex  systems. 
A variety  of  mathematical  methods  have  been 
developed  which  can  be  applied  to  solving 
many  different  types  of  reliability  problems. 
Programs  are  available  for  computing  param- 
eters such  as  reliability,  availability,  and  MTF 
for  repairable  and  unrepairable  systems. 

Some  of  the  programs  can  handle  very 
large  systems  of  hundreds  of  elementary  units 
for  which  failure  and  repair  information  must 
be  provided.  Other  programs  permit  cost- 
effective  systems  to  be  designed  by  comput- 
ing optimum  allocations  of  redundant  units 
which  obey  constraints  on  weight,  size,  cost, 
and  other  factors.  Simulation  techniques  have 
been  developed  for  systems  that  are  too  com- 
plex to  be  evaluated  by  other  methods. 

A large  number  of  computer  programs 
have  been  developed  for  predicting  the  relia- 
bility parameters  of  systems.  These  programs 
have  been  written  by  many  companies  for  a 
number  of  governmental  agencies.  Some  of 
the  programs  were  developed  for  a specific 
system,  and  some  are  more  general  and  can  be 
applied  to  many  system  configurations. 

13-2  MATHEMATICAL  AUTOMATED  RE- 
LIABILITY AND  SAFETY  EVALUA- 
TION PROGRAM  (MARSEP) 

MATHEMATIC  A,  Inc.,  developed  a pro- 
gram that  automates  the  evaluation  of  the  re- 
liability and  unreliability  of  electromechanical 
systems  (Ref.  1)JVIATHEMATICA’S  AUTO- 
MATED RELIABILITY  AND  SAFETY 
EVALUATION  PROGRAM  (MARSEP),  was 
originally  developed  for  the  SANDIA  Corpor- 
ation for  use  in  evaluating  nuclear  weapon 
systems.  It  can  be  used  for  both  reliability 
and  unreliability  calculations.  The  unreliabili- 
ty calculations  are  used  in  system  safety  anal- 
yses where  unreliability  terms  of  very  small 
magnitude  may  be  very  important. 

MARSEP  provides  a means  of  computing 
an  exhaustive  Boolean  expression  that  in- 
cludes all  possible  success  and  failure  events. 


MARSEP  has  been  programmed  for  compu- 
ters at  the  Picatinny  Arsenal  and  the  Harry 
Diamond  Laboratories. 

MARSEP  accepts  as  input  a description  of 
the  system  and  a definition  of  system  success. 
The  computer  determines  which  combina- 
tions of  component  events  are  required  for 
system  operation  and  system  failure. 

The  system  description  contains  a list  of 
individual  system  components  and  their  oper- 
ating and  failure  modes.  A set  of  two  events, 
success  and  failure,  must  be  defined  for  each 
component.  Failure  cf  any  individual  compo- 
nent does  not  cause  failure  in  any  other  com- 
ponent. 

A simple  circuit  consisting  of  a battery, 
switch,  relay,  light,  and  squib  is  shown  in  Fig. 
13-1.  The  circuit  description  includes  all  ter- 
minals and  wires,  including  the  ground  termi- 
nal. In  using  MARSEP,  it  is  assumed  that  pos- 
sible failure  in  connections  and  wire  leads  are 
important  and  must  be  considered. 

A model  must  be  prepared  from  the  cir- 
cuit diagram.  The  MARSEP  model  Is  a block 
diagram  whose  elements  represent  the  individ- 
ual system  components,  their  possible  failure 
modes,  and  operating  conditions.  Some  of  the 
symbols  used  to  prepare  a MARSEP  model 
are  shown  in  Table  13-1.  The  MARSEP  model 
for  the  sample  circuit  is  shown  in  Fig.  13-2. 

MARSEP  provides  a modeling  language 
that  is  used  to  describe  the  elements  in  the 
MARSEP  model  and  their  interconnections. 
Each  element  in  the  MARSEP  model  must  be 
given  a name  for  use  in  the  system  description 
part  of  the  input  data.  For  example,  in  Fig. 
13-2,  the  battery  is  defined  as  BATTRY,  and 
the  short  mode  of  failure  is  called  SHORT. 

A set  of  symbols  is  also  required,  each 
symbol  representing  the  probability  of  occur- 
rence of  the  usual  (most  likely)  event(s)  for 
each  element  in  the  MARSEP  model.  The  pre- 
fix P is  used  to  identify  events  which  corre- 
spond to  a component  functioning  successful- 
ly, or  transmitting  a signal,  or  both.  The  pre- 
fii  Q identifies  events  associated  with  a com- 
ponent failing  to  function,  or  opening  the  cir- 
cuit, or  both.  Both  types  ofsymbols  are 
referred  to  as  P Names.  Table  13-2  shows  the 
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TABLE  13-1  MARSEP  MODELING  SYMBOLS' 


MODELING  BOXES,  with  electrical  interpretations 


BASIC  MODELING.  Passes  signal  from  input  (1)  to  output 
(2).  Has  suooess  and  failure  events  associated  with 
it. 


SIGNAL  SOURCE.  This  box  produces  a signal  at  (2).  It  can 
be  affected  by  shorts  to  ground  and  connections  to 
ground. 


AND  BOXES.  These  boxes  usually  need  both  a usuai  input 
(II  and  a second  input  (2)  in  order  to  provide  an 
output  at  (3).  There  is  a second  event  set  defined 
for  the  situation  when  the  input  at  (2)  is  missing. 


SHORT-TO-GROUND.  If  this  box  fails  the  circuit  is  shorted 
to  ground. 


FUSE.  This  box  indicates  a point  in  the  circuit  which  should 
open  when  a signal  passes  through  it. 


30X  OR  TERMINAL  MODIFIERS 


QUALITY  SENSITIVE.  Indicates  that  the  box  on  which  this 
■£>  appears  is  sensitive  to  the  type  of  input  received. 

A different  event  set  is  defined  for  each  type  of 
input.  Signal  types  are  defined  at  their  source. 


ENVIRONMENT.  An  externally  determined  input  that  provides 
■£>  for  conditional  event  sets  in  the  model. 


MODELING  DIODE.  Indicates  that  a high  resistance  to  ground 
exists  within  the  box  to  which  it  is  attached.  This 
is  interpreted  as  preventing  a ground  connection  from 
draining  a signal  source. 
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TABLE  13-2 

ASSIGNMENT  OF  P NAMES  TO  SIMPLE  CIRCUIT  MODEL' 


ELEMENT  NAME 

P NAME 

EVENT 

BATTRY 

PVOLT 

battery  delivers  proper  voltage 

SHORT 

PSTG 

short  to  ground  does  not  occur  at  this  point 

START 

PCL0S 

switch  closes  when  pressure  applied 

Q0FF 

switch  remains  open  before  pressure  is  applied 

COIL 

PPICK 

symbolizes  the  event  that  coil  picks  contact  when 
proper  input  is  applied 

CONTCT 

PC0NT 

contacts  provide  continuity  when  picked 

QERLY 

contacts  remain  open  before  relay  is  picked 

LIGHT 

PLITE 

light  burns  when  proper  voltage  applied 

FUSE 

P0PEN 

squib  open  when  proper  input  applied 

SQUIB 

PBL0W 

squib  fires  when  proper  voltage  is  applied 

WIRE 

PG00D 

wire  carries  signal  applied 
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ENVIRONMENT 
HAND  ON 


Element 

MARSEP  Mod*!  Element  Memo 

P Nam* 

Sat  lei  y 

SATTRY 

PVOLT 

S/MX!  in  bMiwy 

SHORT 

PS7G 

Start  aviicfl 

START 

PCLOS.  QCFF 

Relay  coil 

COIL 

PPICK 

Relay  com  ecu 

CONTCT 

PCOWT  GEflLY 

Light 

LIGHT 

PLITE 

Fuat  action  of  iquito 

FUSE 

POPEN 

SquA> 

soma 

P6LOW 

Wire 

WIRE 

PGOOO 

FIGURE  13-2.  MARSEP  Model  of  Simple  Circuit' 


P Names  assigned  to  elements  in  the  sample 
system  and  the  events  which  they  define. 

Special  component  properties  and  envi- 
ronmental or  outside  factors  can  be  included 
in  the  MARSEP  model.  For  example,  in  Fig. 
13-2,  the  effect  of  the  human  operator  who 
turns  the  system  on  and  off  is  shown  as 
START  with  the  corresponding  P Names 
PCLOS  and  QOFF . The  effects  of  pressure 
and  temperature,  as  well  as  enabling  proce- 
dures, also  can  be  included. 

By  use  of  the  MARSEP  modeling  lan- 
guage, the  element  names,  and  the  P Names, 
the  MARSEP  model  is  converted  into  a series 
of  statements  which  become  the  input  to  the 
MARSEP  program.  Table  13-3  shows  some 
elements  of  the  MARSEP  modeling  language. 

The  MARSEP  program  consists  of  three 
subprograms:  (1)  the  preprocessor,  (2)  the 
analyzer,  and  (3)  the  postprocessor.  The 
system  to  be  analyzed  is  represented  in  the 
computer  by  lists  of  components  and  a list 
structure  for  each  component  and  terminal. 

The  preprocessor  accepts  as  input  a descrip- 
tion of  the  system  which  is  converted  into  the 
required  format  for  the  analyzer.  Then,  the 
analyzer,  written  in  Information  Processing 
Language  V (IPLV)  , generates  the  success  and 
failure  expressions  for  the  system.  The  post- 
processor substitutes  the  external  names  pro- 
vided in  the  input  for  the  internal  symbols 


used  by  the  analyzer.  The  equations  generated 
by  the  analyzer  are  not  altered  by  the  post- 
processor. The  MARSEP  program  also  edits 
and  applies  set  theory  to  the  success  and  fail- 
ure expressions. 

For  the  system  in  Fig.  13-1,  the  MARSEP 
program  would  perform  an  analysis  of  the  ef- 
fects of  shorts-to-ground  and  spurious  electri- 
cal connections  (shorts)  on  the  operation  of 
the  system.  In  the  shorts-to-ground  analysis  it 
is  assumed  that  components  transmit  a signal 
that  must  be  maintained  at  some  level  other 
than  the  level  associated  with  ground.  All 
ground  terminals  or  possible  connections  to 
ground  are,  therefore,  examined  to  determine 
if  they  can  possibly  nullify  a useful  signal  in 
the  system.  Special  messages  are  printed  in 
the  program  output  which  indicate  when  use- 
ful signals  are  nullified  at  their  source  by  a 
connection  to  ground.  Shorts  between  termi- 
nals in  the  system  are  checked  to  determine  if 
they  can  cause  undesirable  operation.  The 
user  can  designate  in  his  input  statements 
where  shorts  are  likely  to  occur,  and  the  pro- 
gram also  vdn  search  automatically  for  shorts. 

Outputs  prepared  by  MARSEP  for  the 
sample  circuit  are  presented  in  Table  13-4. 
Two  expressions  are  developed  for  system 
success.  The  first  expression  is  for  system  suc- 
cess when  the  environment  EHAND  is  applied 
in  such  a way  that  the  switch  is  open.  The 
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TABLE  13-3 

MARSEP  MODELING  LANGUAGE' 


A2  (P  name) 

This  attribute  states  the  probability  that  the  given  element  works,  given  all 
proper  inputs,  is  P name. 


<qIq 

A3  (B  name,  P name). 

Denotes  the  element  receives  an  enabling  input  from  element  8 name,  in  the 
absence  of  that  input,  the  element  will  give  an  output  with  probability  P name.  (The 
probability  of  nonoperation  given  a proper  enabling  input  is  given  by  A2.) 


A4  (B  name  1 B name  n) 

Denotes  the  element  has  enabling  ouputs  to  the  elements  B name  1 
B name  n. 


A14  (E  name,  P name) 

E name  is  the  name  of  some  environment,  it  is  any  item  such  as  HEAT, 
PRES  6,  RAD  2,  etc.,  that  is  listed  as  an  environment.  P name  is  the  probability 
that  the  element  functions  in  the  absence  of  named  environment. 


-ol  I- 


A6  (T  name,  A name,  N name,  P name*,  N name,  P name*'"*N  name  P name) 

Thus,  A6  is  followed  by  a compound  list: 

T name  (or  V name)  is  the  name  of  an  input  terminal  to  the  element  which  is 
dependent  upon  the  value  of  the  input  signal  (quality  input). 


A name  is  either  A10  if  the  input  is  voltage-sensitive,  one  of  the  attributes, 
or  A50  through  A90  for  nonvoltage  sensitive  sources.  The  A number  may  be  left 
out  of  subsets  after  the  first  subset.  In  this  case  it  will  be  interpreted  to  be  the 
same  as  the  last  one  listed. 

N name  is  either  a value  of  the  input  signal  at  the  terminal  in  question 
(i.e.,  an  integer)  or  an  item  with  head  N which  will  symbolically  indicate  a signal  level. 

P name  is  the  probability  of  operation  given  N name.  The  probability  of  non- 
operation given  the  usual  value  of  N name  is  given  in  A2. 

Only  one  A6  is  allowed  per  element. 
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TABLE  13-3  (Cont'd) 
MARSEP  MODELING  LANGUAGE 


A9 

Short  to  ground 


A10  (T  name,  N name) 

Indicates  that  the  named  terminal  is  voltage  source  whose  value  is 
given  by  N name.  N name  is  defined  as  for  A6. 


Ann  (T  name,  N name) 

nn  can  range  from  50  through  90.  This  set  is  used  to  identify  a power  source 
other  than  a voltage  source. 


A12 

Indicates  Q name  of  A2  is  very  near  to  one. 


Any  box  that  A99 

1135  ^ Terminal  device 

attribute 

A2  (see  format  discussed  above) 

A3  (see  format  discussed  above) 

A14  (see  format  discussed  above) 

A16  (see  format  discussed  above) 

P name  for  A16  attribute  is  probability  of  operation  given  no  environment 
and  activation. 


A17  (E  name  1,  P name  1,  E name  2,  P name  2,  P name  3) 


A2  (same  format  as  is  discussed  above) 


where: 

P same  1 is  probability  that  box  operates  given  E name  1 is  present. 

P name  2 is  similar  to  P name  1. 

P name  3 is  probability  of  operation  given  E name  1 and  E name  2 are  absent 


<3- 


A7  (T  name, .T  name) 

Indicates  that  the  named  terminals  will  not  propagate  a ground. 
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second  expression  is  for  system  success  when 
the  switch  is  closed  by  the  hand. 

13-3  GENERAL  EFFECTIVENESS  METH- 
ODOLOGY (GEM) 

The  GEM  system  was  developed  by  the 
Naval  Applied  Sciences  Laboratory  in  order 
to  provide  engineers  with  a user  oriented  relia- 
bility evaluation  technique  (Refs.  2-5).  The 
user  interacts  with  GEM  by  means  of  a lan- 
guage especially  developed  for  use  in  reliabili- 
ty problems. 

The  GEM  system  consists  of  the  GEM  lan- 
guage, a System  Library,  a Formula  Library, 
and  a program  system  containing  a processor 
and  update  programs. 

The  GEM  processor  is  designed  to  accept 
descriptions  of  reliability  block  diagrams  to- 
gether with  associated  data  and  to  calculate 
one  or  more  reliability  measures.  The  descrip- 
tion and  computed  results  can  be  stored  in 
the  System  Library  which  can  later  be  retriev- 
ed, modified,  and  re-evaluated. 

The  Formula  Library  contains  a set  of 
mathematical  subroutines  fcr  computing  vari- 
ous reliability  parameters,  relieving  the  engi- 
neer of  the  burden  of  constructing  a new  pro- 
gram for  each  new  system  evaluation. 

The  GEM  program  system  was  developed 
using  a modular  approach  that  facilitates  the 
modification  of  existing  programs  and  addi- 
tion of  new  routines  as  needed.  The  general 
organization  of  the  GEM  program  system  is 
shown  in  Fig.  13-3 . 

GEM  can  be  used  to  support  systems  de- 
velopment, trade-off  analyses,  evaluation,  and 
optimization.  The  processor  is  structured  to 
evaluate  variables  such  as  reliability  with  or 
without  repair,  instantaneous  availability,  and 
interval  reliability  for  systems  that  include 
such  hardware  interdependencies  as  bridge 
networks,  shared  elements,  standby  equip- 
ment, and  environmental  strategies  and  priori- 
ties including  repairmen  and  spare  parts  pools 
(see  Fig.  13-4) . 

13-3.1  STRUCTURE  OF  GEM 

The  engineer  using  GEM  provides  a sys- 
tem description  consisting  of  a reliability 
model:  failure,  repair,  and  replacement  rates; 


the  up-state  rules;  replacement  and  repair 
strategies;  and  support  constraints  for  the 
system.  The  support  constraints  are  the  num- 
ber of  repairmen  and  their  specific  assign- 
ment, the  number  of  spares  pools,  the  spares 
in  each  pool  and  identification  of  the  items 
that  share  each  pool,  allocation  strategies  to 
be  used  in  cases  of  conflicting  demands  on 
repairmen  and/or  spares,  and  identification  of 
items  to  be  held  in  standby.  The  user  also 
specifies  which  reliability  parameters  are  to  be 
calculated  by  the  GEM  processor. 

The  system  description  is  written  in  the 
GEM  System  Definition  Language,  and  the 
parameters  to  be  calculated  are  stated  in  the 
GEM  Command  Language  (Ref.  4).  The  Com- 
mand Language  also  is  used  to  make  modifica- 
tions to  previously  defined  system  descrip- 
tions. 

The  System  Library  is  a magnetic  tape 
containing  system  descriptions,  calculation  re- 
quests, and  calculated  results  for  previously 
evaluated  systems  (Ref.  5).  The  Formula  Li- 
brary is  a magnetic  tape  containing  the  formu- 
las and  computer  routines  for  calculating  the 
reliability  parameters  that  are  part  of  the 
GEM  system  (Ref.  ft).  . 

The  GEM  processor  refers  to  the  System 
Library  (if  the  system  has  been  previously 
evaluated)  and  the  Formula  Library,  while  it 
first  translates  the  system  description  and  cal- 
culation requests  into  a mathematical  model 
for  computing  the  parameters  requested,  then 
performs  the  calculations,  and  finally,  prints 
the  results. 

Error-checking  routines  are  built  into  the 
processor  to  detect  omissions,  inconsistencies 
in  the  description  or  data,  wrong  parameters, 
impossible  values  of  parameters,  and  other  er- 
rors. When  errors  are  detected,  the  processor 
prints  error  messages  that  define  the  nature  of 
the  errors  and  their  location. 

The  GEM  system  also  contains  a set  of 
Library  Update  Programs  for  generating, 
maintaining,  and  updating  the  System  Library 
and  the  Formula  Library. 

The  GEM  system  provides  a printed  out- 
put in  the  form  of  a tabulation  of  computed 
results  or  a plot  output.  The  user’s  original 
system  description  is  presented  as  part  of  the 
output. 
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FIGURE  13-3.  GEM  Program  System  Organization 4 


The  GEM  program  was  implemented  on  a 
CDC  6600  computer  located  at  the  Courant 
Institute  of  New  York  University.  Minimum 
requirements  for  running  the  program  are 
135,000  words  of  memory  for  most  problems 
and  300,000  words  for  calculating  reliability 
with  repair  and  availability  of  systems  with 
ncnexponential  failure  and/or  repair  distribu- 
tions. The  GEM  processor  was  designed  using 
the  Chippewa  Operating  System. 

13-3.2  THE  GEM  SYSTEM 

The  computer  equipment  configuration 
required  by  the  GEM  processor  is: 

1.  CDC  6600 

2.  Five  magnetic  tape  drives 

3.  Disc  file 

4.  Card  reader 

5.  Printer. 

All  possible  GEM  inputs  and  outputs  are 
illustrated  by  the  GEM  flow  diagram.  Fig. 
13-5.  The  GEM  processor  requires  formula  in- 
put and  system  definition  input.  Formula  in- 
put takes  one  of  the  three  following  forms: 

1.  Previously  created  formula  library 
tape. 

2.  A new  formula  library  tape,  created 


from  a set  of  cards,  containing  variables,  for- 
mulas, and  update  commands. 

3.  A revised  formula  library  tape  created 
fran  a combination  of  the  two  preceding 
forms— i.e.,  a previously  created  formula  libra- 
ry tape,  plus  a set  of  cards  containing  addi- 
tional variables,  formulas,  update  commands, 
etc.,  which  would  result  in  a revised  formula 
library  tape. 

System  definition  input  takes  one  of  the 
three  following  forms: 

1.  A set  of  cards  containing  system  defi- 
nitions, evaluation  verbs,  and  (if  desired) 
modification  verbs. 

2.  A previously  created  system  library 
tape  plus  a set  of  cards  containing  evaluation 
and  modification  verbs  (and,  if  additional 
systems  are  required,  a set  of  cards  containing 
new  system  definitions). 

3.  A previously  created  print  file  tape 
(containing  system  definitions)  plus  a set  of 
cards  containing  evaluation  and  modification 
verbs  (and,  if  additional  systems  are  required, 
a set  of  cards  containing  new  system  defini- 
tions). 

Output  consists  of  a printout  sheet  (print- 
ed output  listings)  and  a magnetic  tape  (Print 
File). 
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THE  SYSTEM  REPAIR 
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FIGURE  13-4.  Interrelation  of  GEM  Environmental  Vector  Definitions 
and  Overall  System  Effectiveness 
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FIGURE  13-5.  GEM  Input/Output  Diagram' 
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There  are  three  phases  to  GEM.  During 
Phase  1,  information  is  read  (transferred)  into 
the  computer,  error  checked,  and  stored  in 
files  within  the  computer  in  a compact  form. 
Phase  2 processing  involves  making  the  modi- 
fications indicated  by  the  original  modifica- 
tion commands.  In  Phase  3,  the  newly  created 
system  is  used  to  generate  a FORTRAN 
source  program,  to  permit  the  calculation  of 
the  systems  effectiveness  measures.  The  FOR- 
TRAN program  is  compiled  and  executed,  the 
answer  tables  are  created,  and,  subsequently, 
the  output  (a  printout  of  the  evaluated  sys- 
tems and  error  messages  and  a print  file  tape) 
is  generated. 

13-3.3  THE  GEM  LANGUAGE 
13-3.3.1  The  System  Definition  Language 

Some  of  the  basic  elements  (vocabulary) 
of  the  System  Definition  Language  are  (Ref. 

4): 

1.  Level  Number 

2.  Duplicate  Number 

3.  Item  Name 

4.  Formula  Name 

5.  Parameters 

6.  Environmental  Vectors  (E  Vectors). 

The  Level  of  an  item  is  its  level  of  com- 
prehensiveness or  its  position  in  a hierarchy 
that  represents  the  manner  in  which  the  user 
views  the  system. 

The  Duplicate  number  of  an  item  states 
the  number  of  identical  items  in  a system  and 
is  used  to  avoid  having  to  describe  identical 
items  more  than  once. 

The  Item  Name  is  used  for  identification 
and  is  arbitrarily  chosen  by  the  user.  Names 
need  not  be  unique  except  for  items  of  the 
same  level  if  they  are  not  identical. 

The  Formula  Name  is  either  a statement 
of  the  relationship  that  items  in  a lower  level 
bear  to  one  another,  or  it  identifies  the  name 
of  a failure  and/or  repair  distribution  associ- 
ated with  a lowest  level  item. 

The  Parameters  serve  as  either  further 
clarification  of  the  relationship  stated  in  the 
formula  or  they  give  the  parameters  of  the 
failure  and/or  repair  distributions  associated 
with  the  lowest  level  items. 


Environmental  Vectors  serve  two  basic 
functions.  They  enable  the  user  to  describe 
complex  configuration  or  upstate  rules  which 
cannot  be  stated  in  terms  of  series-parallel 
statements.  They  also  enable  one  to  specify 
constraints  with  respect  to  repairmen  and/or 
spares  as  well  as  their  deployment  and  the 
order  of  priority  to  be  followed  when  there 
are  not  enough  repairmen  and/or  spares  for 
every  item  that  is  in  a downstate. 

13-3.3.2  Illustration  of  the  System  Definition 
Language 

The  concept  used  in  describing  a system 
configuration  in  GEM  permits  the  connectivi- 
ty of  the  items  in  a block  diagram  to  be  de- 
fined in  stages  (levels  of  comprehensiveness) 
so  that  more  detail  is  stated  at  each  level  until 
the  lowest  level  item  is  reached.  In  effect,  the 
block  diagram  consists  of  a hierarchy  of  levels 
and,  at  each  level,  the  appropriate  relationship 
of  the  items  just  one  level  below  is  defined. 
To  illustrate  this  procedure,  consider  the 
block  diagram  in  Fig.  13-6. 

The  system  in  Fig.  13-6  is  made  up  of  two 
subsystems  connected  in  series.  The  first  sub- 
system consists  of  four  identical  items  and  the 
upstate  rule  is  that  at  least  two  must  be  up 
(2-out-of-4:G).  The  second  subsystem  is  a par- 
allel-series configuration.  The  breakup  of  a 
system  in  terms  of  its  levels  can  be  portrayed 
by  a GEM  diagram.  For  the  example  in  Fig. 
13-6  this  would  have  the  form  shown  in  Fig. 
13-7.  The  description  of  this  system  in  the 
GEM  Definition  Language  would  be  as  in  Ta- 
ble 13-5. 

In  Table  13-5,  the  entry  in  the  Formula 
column  designates  that  at  the  01  level,  the 
rule  of  combination  for  the  two  02  level  items 
(SBSYS1  and  SBSYS2)  is  the  statement  that 
these  items  are  connected  in  series  (SER).  It  is 
not,  necessary  to  state  the  mathematical  for- 
mula for  a series  connection,  only  its  code.  At 
the  first  02  level,  the  Formula  entry  is  PAR  to 
designate  that  the  four  03  level  items  are  con- 
nected in  parallel.  The  entry  in  the  Parameter 
column,  M = 2,  states  that  at  least  two  of  the 
03  items  must  be  up  in  order  for  the  02  item 
to  be  up.  The  entry  of  4 in  the  Dup.  column 
for  item  A states  that  there  are  four  identical 
items,  each  called  A,  and  the  FENO  entry  in 
the  Formula  column  states  that  the  times  to 
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FIGURE  13-6.  Sample  System  for  GEM  Analysis4 


FIGURE  13-7.  GEM  Diagram  for  Sample  System4 
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TABLE  13-5 

SYSTEM  DESCRIPTION  IN  GEM  SYSTEM  DEFINITION  LANGUAGE4 


1 g\/g1 

Dug. 

Klamo 

01 

SYSTM 

02 

SBYS1 

03 

4 

A 

02 

SBSYS2 

03 

AB 

04 

A 

04 

B 

03 

CDE 

04 

C 

04 

DE 

05 

D 

05 

E 

Formula 

Parameters 

SER 

PAR 

• 

M = 2 

FENO 

X = 

PAR 

M * 1 

SER 

FLNO 

A * , ° - 

FWNO 

P 

N 

*co 

II 

SER 

FGNO 

CT  =*  , (3  = 

PAR 

M * 1 

FLNO 

A - , a = 

FTNO 

A = , a ■ 
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TABLE  13-6 

GEM  SYSTEM  DEFINITION  LANGUAGE  FORMULA  SYMBOLS4 


FORMULA  NAME 

MEANING 

PARAMETERS 

FERJO 

One  piece  of  equipment  with 
exponential  failure  and  no  repair 

RLAM  - Failure  Rate 

FWNO 

One  piece  of  equipment  with 
Weibull  failure  and  no  repair. 

ALPH  - TIME  PER 
FAILURE 

BETA  - 

FGNO 

One  piece  of  equipment  with 
gamma  failure  and  no  repair. 

ALPH  - TIME  PER 
FAILURE 

BETA  • 

FLNO 

One  piece  of  equipment  with  log- 
normal failure  and  no  repair. 

XMU  • 
SIG 

FTNO 

One  piece  of  equipment  with 
truncated  5 -normal  failure  and 
no  repair. 

XMU  • 
SIG 

SER 

The  subsystems  are  in  series. 

All  the  resultant  names  of 
the  subsystems  must  be  X. 

PAR 

The  subsystems  are  redundant 
(parallel)  of  which  M must  be 
working. 

M - The  number  that 

must  be  working. 

All  the  resultant  names  of 
the  subsystems  must  be  X. 

LIN 

The  subsystems  are  identical 
and  layed  out  in  a linear  array. 
M must  be  working  and  no  two 
adjacent  subsystems  may  have 
failed. 

M • The  number  which 

must  be  working. 

The  resultant  names  of  the 
subsystems  must  be  X. 

GIR 

The  subsystems  are  identical 
and  layed  out  in  a circular 
array.  M must  be  working  and 
no  two  adjacent  subsystems  may 
have  failed. 

M - The  number  which 

must  be  working. 

The  resultant  names  of  the 
subsystems  must  be  X. 
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failure  of  item  A are  exponentially  distribut- 
ed. The  parameter  of  the  distribution  (the 
failure  rate  X)  is  given  in  the  Parameter  col- 
umn. The  other  entries  are  made  in  a similar 
manner.  Table  13-6  explains  the  other  formu- 
la symbols  and  gives  the  parameter  notations 
to  be  used. 

13-3.3.3Additionai  Characteristics  of  the 
System  Definition  Language 

The  preceding  description  of  the  system  is 
valid  only  for  the  computation  of  a variable 
that  can  be  calculated  by  purely  combinatori- 
al means,  starting  faxxn  the  lowest  level  item 
results  and  continuously  passing  these  up  to  a 
higher  level  until  the  top  level  (01)  or  system 
answer  is  obtained.  This  procedure  can  be 
used  to  calculate  reliability  without  repair  (R) 
and/or  availability  in  the  absence  of  repair- 
men and/or  spares  constraints  (provided  the 
repair  distribution  for  each  item  is  given). 

This  procedure  cannot  be  used  to  calcu- 
late reliability  with  repair  (RR)  since  RR  for 
SBSYS2  cannot  be  obtained  from  the  values 
of  RR  for  items  A-E  by  somehow  combining 
these  results.  (As  a matter  of  fact,  the  RR’s 
for  A-E  are  equal  to  the  R’s  for  these  items.) 
The  reason  for  this  is  that  Items  A-E  are 
s-dependent  for  the  purpose  of  calculating  RR 
for  SBSYSZ , although  they  are  not  s-depen- 
dent for  the  purpose  of  calculating  R.  How- 
ever, since  SBSYS1  and  SBSYSZ  are  con- 
nected in  series,  it  is  permissible  to  calculate 
RR  for  SBSYS1  and  SBSYS2  separately  and 
then  obtain  RR  for  SYSTM  by  combining 
these  results  in  series,  i.e.,  by  multiplying 
them. 

Whenever  items  have  to  be  handled  as  a 
group  due  to  their  s-dependence,  either  be- 
cause of  the  variable  to  be  computed  or 
because  they  share  spares  and/or  repairmen, 
then  the  preceding  description  of  the  system 
is  not  adequate,  and  a different  one  has  to  be 
used.  Also,  if  any  part  of  the  block  diagram 
contains  items  that  are  connected  in  a manner 
that  cannot  be  expressed  as  combinations  of 
series-parallel  groups,  i.e.,  the  upstate  rules 
cannot  be  given  in  terms  of  series-parallel 
statements,  then  another  means  of  describing 
the  configuration  is  required-even  for  the 
purpose  of  calculating  R. 


To  permit  system  descriptions  of  a more 
general  nature  and  to  provide  the  user  with  a 
capability  to  impose  repairmen  and/or  spares 
constraints,  the  System  Definition  Language 
of  GEM  introduces  the  concept  of  a section 
(Ref.  4) . A section  is  a group  of  items  to 
which  the  user  can  apply  any  of  the  six  envi- 
ronmental vectors. 

Some  elements  of  the  System  Definition 
Language  were  not  discussed  before,  because 
they  were  not  central  to  the  basic  concepts 
employed  in  the  description  and  to  avoid  con- 
fusion. The  additional  elements  of  the  System 
Definition  Language  are: 

1.  Resultant  Name 

2.  Formula  Modification  Code  (MOD) 

3.  Variable  Code. 

The  Resultant  Name  is  the  name  chosen 
by  the  user  for  either  the  answer  for  the  varia- 
ble of  an  item  after  it  has  been  evaluated,  or 
the  name  that  is  chosen  for  use  in  an  E Vec- 
tor. All  references  to  items  in  that  E Vector 
must  use  the  Resultant  Names  and  it  is,  there- 
fore, important  that  these  be  unique  within  a 
section  unless  items  are  identical. 

The  Formula  Modification  Code  (MOD) 
for  Duplicate  Items  was  introduced  for  future 
capabilities  in  GEM  which  might  evaluate  a 
variable  for  which  one  might  want  to  ignore 
the  fact  that  there  are  duplicates  of  an  item. 

The  Variable  Code  designates  the  type  of 
computation  that  will  be  used  in  evaluating 
the  variable— e.g.,  purely  algebraic,  a state  cal- 
culation involving  differential  equations,  or 
some  combination  of  these.  The  code  TE  is  a 
generalized  code  which  can  be  used  to  calcu- 
late all  variables  provided  the  necessary  condi- 
tions are  met. 

The  names  of  the  combinatorial  formulas 
in  the  Formula  Library  and  the  notations 
used  for  their  associated  parameters  are  pre- 
sented in  Table  13-7.  This  table  presents  the 
names  of  the  formulas  associated  with  sec- 
tions and  the  notation  to  be  used  for  their 
associated  parameters.  A GEM  System  Defini- 
tion Coding  Form  is  shown  in  Fig.  13-8  for 
guidance  regarding  the  columns  to  be  used  for 
entering  the  information  resulting  from  the 
description  of  a system  by  the  System  Defini- 
tion Language.  The  columns  for  the  place- 
ment of  the  command  verbs  to  be  described 
also  are  shown. 
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TABLE  13-7 

FORMULAS  ASSOCIATED  WITH  A SECTION4 


FORMULA 

MEANING  AND  REQUIREMENTS 

PARAMETERS 

Formulas  also 
mitted  outside 
tions. 

per- 

sec- 

FENO 
FGNO  * 
FLNO  * 
FTNO  * 

These  formulas  refer  to  pieoes  of  equipment 
with  no  repair  or  replacement.  Those  with 
asterisks  after  them  cannot  appear  in  a sec- 
tion with  repair  or  replacement. 

Formulas  only 
mitted  within 
tions. 

per- 

sec- 

- 

FERE 

Equipment  with  exponential  failure  and  ex- 
ponential repair.  The  repairman  situation 
is  described  in  the  REPMEN  E-vector. 

RLAM  - 
XMU  - 

Failure 

Repair 

rate. 

rate. 

FESI 

Equipment  with  exponential  failure  and 
instantaneous  replacement.  The  spares  pools 
are  described  in  the  SPARES  E-vector. 

FESE 

Equipment  with  exponential  failure  and  ex- 
ponential replacement.  The  repairman 
situation  is  described  in  the  REPMEN  E- 
vector  and  the  spares  pools  in  the  SPARES 
E-vector. 

RLAM  - 
SLAM  • 

Failure  rate. 

Replacement 

rate. 

SECT 

The  first  formula  of  a section.  Its  depen- 
dence on  its  subsystems  is  described  in  its 
UPSTATES  E-vector. 

None. 

S 

The  formula  of  a group  item  within  a sec- 
tion. Its  dependence  on  its  subsystem  and 
pieces  of  equipment  is  described  in  its 
UPSTATES  E-vector. 

None. 
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FIGURE  13-8.  GEM  System  Definition  Language  Coding  Form 4 
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13-3.3.4  The  Command  Language 

The  System  Definition  Language  gives  the 
user  the  ability  to  describe  a problem.  The 
GEM  Command  Language  is  used  to  instruct 
the  computer  to  do  a computation  and  to 
modify  the  original  problem. 

The  basic  elements  (vocabulary)  of  the 
Command  Language  are: 

1.  Evaluation  Verbs: 

BEGIN 

END 

USE 

NAMING 

CALCULATE 

2.  Modification  Verbs: 

DELETE 

ADD. 

REPLACE 

ALTER 

VARY. 

The  two  commands  BEGIN  and  END  are 
used  to  initiate  and  stop:  respectively,  the 
GEM  program  on  the  computer  for  the  pur- 
pose of  making  a “run”  on  the  machine.  A 
run  can  consist  of  one  or  more  problems. 
Each  problem  starts  with  the  USE  card  and 
ends  with  the  NAMING  card.  The  NAMING 
statement  is  followed  by  any  name  the  user 
wishes  to  give  the  computed  answer  to  the 
problem. 

The  CALCULATE  statement  requests  the 
calculation  of  a variable  and  is  followed  by 
the  name  of  the  variable.  For  variables  which 
require  the  statement  of  a mission  time,  this 
information  is  stated  after  the  name  of  the 
variable. 

The  verbs  DELETE,  ADD,  REPLACE, 
ALTER,  and  VARY  are  used  to  modify  a 
system  description. 

The  command  DELETE  is  used  to  drop  a 
certain  portion  of  the  system  description.  If 
this  command  is  applied  to  an  03  level  item, 
for  instance,  then  this  item  and  all  its  lower 
level  items  will  be  dropped  from  the  system 
description. 

The  command  ADD  will  add  to  the  sys- 
tem description  either  something  that  imme- 
diately follows  the  ADD  command  or  a sys- 
tem (or  portion  thereof)  which  has  been  pre- 
viously described  or  appears  in  the  Systems 
Library. 


The  REPLACE  command  is  a combina- 
tion of  the  DELETE  and  ADD  commands. 

The  ALTER  command  is  used  to  change 
any  one  of  the  entries  for  an  individual  item, 
such  as  its  parameters,  name,  resultant  name, 
or  level.  Only  the  item  specified  is  affected  by 
the  ALTER;  its  lower  level  items  remain  the 
same. 

The  VARY  command  is  perhaps  the  most 
important  one,  because  it  gives  the  user  the 
ability  to  make  sensitivity  analyses.  It  does 
this  by  allowing  the  user  to  vary  the  values  of 
one  or  more  parameters  of  items  in  the  sys- 
tem description  and  see  the  effects  of  this  on 
the  value  of  the  overall  system  answer.  Thus, 
one  can  determine  the  sensitivity  of  the  sys- 
tem Reliability  with  Repair  to  the  failure  rate 
and/or  repair  rate  of  an  individual  item  or 
group  of  items  appearing  anywhere  in  the 
system  description.  The  procedure  followed 
in  GEM  is  to  compute  the  system  answer  for 
the  requested  variable  for  every  value  of  the 
parameter  specified  in  the  VARY.  Ref.  4 gives 
more  specific  examples  of  using  GEM  for  a 
sample  system;  it  includes  block  diagrams, 
GEM  input,  and  GEM  output. 

13-4  OTHER  PROGRAMS 

Other  computer  programs  for  calculating 
various  aspects  of  reliability  are  listed  in  Part 
Two,  Design  for  Reliability,  par.  4-5 . In  addi- 
tion, most  computer  installations  have  statisti- 
cal packages  for  performing  routine  estima- 
tions, and  simulation  languages  for  perform- 
ing Monte  Carlo  simulation.  Few  people  can 
know  all  about  all  available  programs.  Special- 
ists can  assist  in  selecting  a few  from  the  avail- 
able many,  then  help  an  engineer  become 
familiar  with  those  few.  It  is  better  to  be  able 
to  use  handily  a fairly  good  program  than  to 
have  only  a remote  knowledge  of  several 
excellent  programs. 
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Bayes  theorem  (rule),  2-5 

s-Bias,  4-1 

Binomial  distribution,  2-10 
Block  diagrams,  6-32 
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functional,  6-2 
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Cause-consequence  chart, 

See:  Block  diagram 
Central  moment, 

See:  Moments 
Chi-square  distribution,  3-4 
Coding  redundancy, 

See  : Redundancy 
Common-cause  failure  (event). 

See:  Common-mode  event 
Common-mode  event,  2-6 
Computer  programs  (system  reliability),  13-1 
GEM  (General  Effectiveness  Methodology), 
13-9 

MARSEP  (Mathematica’s  Automated  Reli- 
ability and  Safety  Evaluation  Pro- 
gram), 13-1 
other,  13-20 
s-Confidence,  4-2 
s-Consistency , 4-1 
Constrained  optimization, 

See:  Optimization 
Convexity  (optimization),  12-9 
Convolution,  3-3 
Correlation  coefficient, 

See  : Linear-correlation  coefficient 
Covariance,  3-5 


Decision  redundancy, 

See  : Redundancy 
Decreasing  failure  rate  (DFR),4-3 
s-Dependent  failures,  9-7 
Distributions 

continuous  variables,  3-3 
discrete  variables,  2-10 
for  specific  distributions, 

See:  the  name  of  the  distribution 
Dynamic  programming  (optimization),  12-18 
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s-Efficiency,  41 
Erlang  distribution,  3-4 
Estimation  of  parameters,  4-2 
Estimators  (properties  of), 

See:  s-Efficiency,  s-Consistency,  s-Bias 
Event,  2-1,  3-1 

Exponential  distribution,  3-4,  9-1 
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Failure  rate,  3-4,  3-5 
Fault  tree. 

See : Block  diagram 

Feasible  directions  method  (optimization), 

12-15 

Zoutendijk  procedure,  12-15 
Rosen’s  procedure,  12-17 
Fourier  transform. 

See : Laplace  transform 
Functional  block  diagram. 

See : Block  diagram 
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Gamma  distribution,  3-4 
Good-as-new,  7-1 
Goodness-of-fit , 4-3,  3-5 
Gradient  methods 
optimization,  12-2 
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interpolation,  12-2 
steepest  descent,  12-2 
second  order  optimization,  12-4 
conjugate  directions,  12-5 
Fletcher-Powell.  12-5 
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Increasing  failure  rate  (IFR),  4-3 
5-Independenee,  l-l,2-5,  3-3 
conditional,  2-5,  3-3 
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fe-out-of-n 

F-redundancy , 

See  : Redundancy 
G-redundancy, 

See  : Redundancy  systems. 

See : Redundancy 

Kuhn -Tucker  conditions  (optimization), 
12-11 


Maximization? 

See : Optimization 
Mean  square  error,  4-1 
Mean  time  between  failures  (MTBF),  6-21 
Mean  time  to  failure  (MTF),  6-20 
Minimization, 

See : Optimization 
Models, 

See : Block  diagrams 
Moments,  2-11,  3-3 
Monte  Carlo  simulation.  11-1 
Moore-Shannon  redundancy , 

See:  Redundancy 
Multiple-line  redundancy. 

See : Redundancy 
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Nondecision  redundancy, 

See : Redundancy 
s-Normal  distribution,  3-4,  9-3 
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Laplace-Stieltjes  transform. 

See:  Laplace  transform 
Laplace  transforms,  5-1 
Linear-correlation  coefficient,  3-5 
Linear  programming,  12-1 
See  also:  Optimization 
Lognormal  distribution,  3-4 
Luus-Jaakola  method  (optimization),  12-19, 
A-l 
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Maintenance. 

See:  Repair 
Majority  logic. 

See  : Redundancy 
Markov 
chains,  5-1 
processes,  5-1 


Optimization,  12-1 
constrained.  12-6 
Luus-Jaakola  method,  12-19,  A-l 
unconstrained,  12-2 
See  also:  Specific  techniques 
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Parallel  redundancy. 

See:  Redundancy  (h-out-of-ni 
Parameter  estimation. 

See : Estimation  of  parameters 
Penalty  function  method  (optimization), 
12-17 

Fiacco-McCormick,  12-18 
Poisson  distribution,  2-10 
Populations,  4-3 
Probability 
concepts. 

See  : s-Independence,  Distributions, 
Moments 

definitions,  2-1,  2-2,  2-4,  3-1,  3-2 
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foundations 

continuous  variables,  2-1 
discrete  variables,  3-1 
theory 

continuous  variables,  3-1 
discrete  variables,  2-1 
See  also  : Distributions 


R 


Random  numbers.  1 1-3 
Random  sample,  4-3 
Random  variables,  2-10 
Redundancy,  7-1,  8-1, 9-1,  10-1,  7-3, 
See  also : Repair 
active,  9-12,  10-16 
coding,  10-19 
decision,  10-7 
k-out-of-n,  7-4,  8-1 
k-out-of-n:F,  6-21,  7-4,  8-1 
/e-out-of-n:G,  6-21,  7-4,  8-1 
majority  logic, 

See:  Voting 
Moore-Shannon,  10-2 
multiple  line,  10-11 
nondecision,  10-2 
parallel, 

See : k-out-of-n 
standby,  9-9,  9-12,  10-15 
switching,  7-4,  10-15 
voting,  7-4,  8-5,  1 0-7 
Regeneration  points,  5-2 
Reliability 

block  diagram. 

See : Block  diagram 
measures,  9-2 
model, 

See : Block  diagram 
prediction,  8-1,  9-1,  10-1,13-1 
time-dependent,  9-1 
time-dependent,  8-1 
Repair,  7-1,  7-5,  9-12,  6-1,  6-29, 

See  also : Redundancy 


S 


Sample, 

See:  Random  sample 
point,  2-1,  3-1 
space,  2-1,  3-1 
s-Significance,  4 2 
Simulation, 

See:  Monte  Carlo  simulation 
Spares, 

See:  Repair 
Standby  redundancy, 

See  : Redundancy 
Statistical  theory,  4-1 
Switching, 

See : Redundancy 
Switching  redundancy, 

See : Redundancy 
System 

analysis,  6-2 

reliability  model,  6-1,  6-3 
state,  5-1 

T 


Transformation  of  variables,  3-3,  3-5 
Unconstrained  optimization. 

See : Optimization 
Uniform  distribution,  3-4 


V 


Variance,  3-5 

See  also:  Moments 
Venn  diagrams,  3-2 
Voting  redundancy. 
See  : Redundancy 


W 


Weibull  distribution,  3-4 
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